diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index ef2e397e5b..52940ae69f 100644 Binary files a/.openpublishing.redirection.json and b/.openpublishing.redirection.json differ diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index bb5e6e271f..7b8e606d40 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -17,7 +17,6 @@ ms.date: 11/15/2017 # MDM enrollment of Windows 10-based devices - In today’s cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization’s resources, such as apps, the corporate network, and email. > [!NOTE] @@ -233,7 +232,7 @@ To create a local account and connect the device: ![access work or school](images/unifiedenrollment-rs1-30.png) -4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows-10-based-device-to-work-using-a-deep-link). +4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link). ![connect to work or school](images/unifiedenrollment-rs1-31.png) @@ -260,7 +259,7 @@ To create a local account and connect the device: ![phone settings](images/unifiedenrollment-rs1-39.png) -3. Select the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows-10-based-device-to-work-using-a-deep-link). +3. Select the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link). ![access work or school page](images/unifiedenrollment-rs1-40.png) @@ -325,7 +324,7 @@ To connect your devices to MDM using deep links: 1. Starting with Windows 10, version 1607, create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**: - > (Be aware that this will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.) + (Be aware that this will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.) - IT admins can add this link to a welcome email that users can select to enroll into MDM. @@ -341,7 +340,8 @@ To connect your devices to MDM using deep links: 3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. -After you complete the flow, your device will be connected to your organization’s MDM. + After you complete the flow, your device will be connected to your organization's MDM. + ![corporate sign in](images/deeplinkenrollment4.png) ## Manage connections @@ -375,7 +375,7 @@ The **Disconnect** button can be found on all work connections. Generally, selec - Devices that enforce the AllowManualMDMUnenrollment policy will not allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command. - On mobile devices, you cannot disconnect from Azure AD. These connections can only be removed by wiping the device. -> [!WARNING]   +> [!WARNING] > Disconnecting might result in the loss of data on the device. ## Collecting diagnostic logs diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 2927d154d3..aa0f6ee57d 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -58,6 +58,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [What is dmwappushsvc?](#what-is-dmwappushsvc) - **Change history in MDM documentation** + - [July 2020](#july-2020) - [June 2020](#june-2020) - [May 2020](#may-2020) - [February 2020](#february-2020) @@ -313,7 +314,11 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
  • Privacy/DisablePrivacyExperience
  • Privacy/UploadUserActivities
  • Security/RecoveryEnvironmentAuthentication
    • +
  • System/AllowDesktopAnalyticsProcessing
  • System/AllowDeviceNameInDiagnosticData
    • +
  • System/AllowMicrosoftManagedDesktopProcessing
    • +
  • System/AllowUpdateComplianceProcessing
    • +
  • System/AllowWUfBCloudProcessing
  • System/ConfigureMicrosoft365UploadEndpoint
  • System/DisableDeviceDelete
  • System/DisableDiagnosticDataViewer
    • @@ -727,7 +732,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
  • User knows what policies, profiles, apps MDM has configured
  • IT helpdesk can get detailed MDM diagnostic information using client tools
    • -

    For details, see Managing connection and Collecting diagnostic logs

    +

    For details, see Managing connection and Collecting diagnostic logs

    Enroll a Windows 10 device automatically using Group Policy @@ -1226,7 +1231,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam -Connecting your Windows 10-based device to work using a deep link +Connect your Windows 10-based device to work using a deep link

    Added following deep link parameters to the table:

    -

    For details, see Managing connections and Collecting diagnostic logs

    +

    For details, see Managing connections and Collecting diagnostic logs

    diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index bd877c1e04..eb3f8eb24e 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3379,6 +3379,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    System/AllowCommercialDataPipeline
    +
    + System/AllowDesktopAnalyticsProcessing +
    System/AllowDeviceNameInDiagnosticData
    @@ -3394,15 +3397,24 @@ The following diagram shows the Policy configuration service provider in tree fo
    System/AllowLocation
    +
    + System/AllowMicrosoftManagedDesktopProcessing +
    System/AllowStorageCard
    System/AllowTelemetry +
    +
    + System/AllowUpdateComplianceProcessing
    System/AllowUserToResetPhone
    +
    + System/AllowWUfBCloudProcessing +
    System/BootStartDriverInitialization
    diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 1707ca7bfc..24b822bab5 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -137,17 +137,17 @@ Here's an example: - + ``` where: - `` contains the local group SID or group name to configure. If an SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. - `` contains the members to add to the group in ``. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. For best results, use SID for ``. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. -- In this example, `Group1` and `Group2` are local groups on the device being configured. +- In this example, `Group1` and `Group2` are local groups on the device being configured, and `Group3` is a domain group. -> [!Note] -> Currently, the RestrictedGroups/ConfigureGroupMembership policy does not have a MemberOf functionality. However, you can add a local group as a member to another local group by using the member portion, as shown in the above example. +> [!NOTE] +> Currently, the RestrictedGroups/ConfigureGroupMembership policy does not have a MemberOf functionality. However, you can add a domain group as a member to a local group by using the member portion, as shown in the previous example. diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index e79a5df26a..84be3c8c4d 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 06/25/2020 ms.reviewer: manager: dansimp --- @@ -28,6 +28,9 @@ manager: dansimp
    System/AllowCommercialDataPipeline
    +
    + System/AllowDesktopAnalyticsProcessing +
    System/AllowDeviceNameInDiagnosticData
    @@ -43,15 +46,24 @@ manager: dansimp
    System/AllowLocation
    +
    + System/AllowMicrosoftManagedDesktopProcessing +
    System/AllowStorageCard
    System/AllowTelemetry
    +
    + System/AllowUpdateComplianceProcessing +
    System/AllowUserToResetPhone
    +
    + System/AllowWUfBCloudProcessing +
    System/BootStartDriverInitialization
    @@ -212,16 +224,14 @@ The following list shows the supported values: -> [!NOTE] -> This policy setting applies only to the Windows operating system and apps included with Windows, it does not apply to third-party apps or services running on Windows 10. +This policy setting controls whether Microsoft is a processor or controller for Windows diagnostic data collected from devices. -This policy setting opts the device into the Windows enterprise data pipeline. +If you enable this policy and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data. -If you enable this setting, data collected from the device is opted into the Windows enterprise data pipeline. +If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device. -If you disable or do not configure this setting, all data from the device is collected and processed in accordance with the policies for the Windows standard data pipeline. - -Configuring this setting does not change the telemetry collection level or the ability of the user to change the level. +>[!Note] +> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) policy setting to limit the diagnostic data that can be collected from the device. @@ -250,6 +260,85 @@ The following list shows the supported values:
    + +**System/AllowDesktopAnalyticsProcessing** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark
    Businesscheck mark
    Enterprisecheck mark
    Educationcheck mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in Windows 10, version 1809 through 1909. This policy setting controls whether the Desktop Analytics service is configured to use Windows diagnostic data collected from devices. + +If you enable this policy setting and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data. + +If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device. + +>[!Note] +> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) policy setting to limit the diagnostic data that can be collected from the device. + + + +ADMX Info: +- GP English name: *Allow Desktop Analytics Processing* +- GP name: *AllowDesktopAnalyticsProcessing* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + +The following list shows the supported values: + +- 0 (default) – Diagnostic data is not processed by Desktop Analytics. +- 2 – Diagnostic data is allowed to be processed by Desktop Analytics. + + + + + + + + + + +
    + **System/AllowDeviceNameInDiagnosticData** @@ -598,6 +687,70 @@ The following list shows the supported values: - 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off. - 2 – Force Location On. All Location Privacy settings are toggled on and grayed out. Users cannot change the settings and all consent permissions will be automatically suppressed. + + +
    + + +**System/AllowMicrosoftManagedDesktopProcessing** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark
    Businesscheck mark
    Enterprisecheck mark
    Educationcheck mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in Windows 10, version 1809 through 1909. This policy setting controls whether the Microsoft Managed Desktop service is configured to use Windows diagnostic data collected from devices. + +If you enable this policy setting and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data. + +If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device. + +> [!Note] +> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) policy setting to limit the diagnostic data that can be collected from the device. + + + +The following list shows the supported values: + +- 0 (default)– Diagnostic data is not processed by Microsoft Managed Desktop. +- 32 – Diagnostic data is processed by Microsoft Managed Desktop. + @@ -801,6 +954,78 @@ ADMX Info:
    + +**System/AllowUpdateComplianceProcessing** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark
    Businesscheck mark
    Enterprisecheck mark
    Educationcheck mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in Windows 10, version 1809 through 1909. This policy setting controls whether the Update Compliance service is configured to use Windows diagnostic data collected from devices. + +If you enable this policy setting and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data. + +If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device. + +>[!Note] +> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) setting to limit the diagnostic data that can be collected from the device. + + + +ADMX Info: +- GP English name: *Enable Update Compliance Processing* +- GP name: *AllowUpdateComplianceProcessing* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + +The following list shows the supported values: + +- 0 (default)– Diagnostic data is not processed by Update Compliance. +- 16 – Diagnostic data is allowed to be processed by Update Compliance. + + + +
    + **System/AllowUserToResetPhone** @@ -861,6 +1086,70 @@ The following list shows the supported values:
    + +**System/AllowWUfBCloudProcessing** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark
    Businesscheck mark
    Enterprisecheck mark
    Educationcheck mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in Windows 10, version 1809 through 1909. This policy setting controls whether the Windows Update for Business cloud service is configured to use Windows diagnostic data collected from devices. + +If you enable this policy setting and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data. + +If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device. + +>[!Note] +> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) policy setting to limit the diagnostic data that can be collected from the device. + + + + +The following list shows the supported values: +- 0 (default) – Diagnostic data is not processed by Windows Update for Business cloud. +- 8 – Diagnostic data is allowed to be processed by Windows Update for Business cloud. + + + + + **System/BootStartDriverInitialization** diff --git a/windows/client-management/mdm/policy-csps-admx-backed.md b/windows/client-management/mdm/policy-csps-admx-backed.md index f79f85154e..fed6d0138d 100644 --- a/windows/client-management/mdm/policy-csps-admx-backed.md +++ b/windows/client-management/mdm/policy-csps-admx-backed.md @@ -406,6 +406,8 @@ ms.date: 07/18/2019 - [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) - [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) - [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) +- [System/AllowDesktopAnalyticsProcessing](./policy-csp-system.md#system-allowdesktopanalyticsprocessing) +- [System/AllowUpdateComplianceProcessing](./policy-csp-system.md#system-allowppdatecomplianceprocessing) - [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) - [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) - [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index d39db925b7..b788f2aa7c 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -141,11 +141,11 @@ For the payloads (optional): **How does Delivery Optimization handle VPNs?** Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." -If the connection is identified as a VPN, Delivery Optimization will not use any peer-to-peer activity. However, you can allow peer-to-peer activity over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. +If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. -If you have defined a boundary group in Configuration Manager and have for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN. +If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected via VPN, it can still leverage peer-to-peer with the default of LAN. -With split tunnelling, it's best to exclude the boundary group for the VPN devices to exclude it from using peer-to-peer. (In this case, those devices won't get the policy and will default to using LAN.) If you're using split tunnelling, you should allow direct access for these endpoints: +With split tunneling, make sure to allow direct access to these endpoints: Delivery Optimization service endpoint: - `https://*.prod.do.dsp.mp.microsoft.com` @@ -161,7 +161,7 @@ Windows Update and Microsoft Store backend services and Windows Update and Micro - `https://*.update.microsoft.com` - `https://tsfe.trafficshaping.dsp.mp.microsoft.com` -For more information about this if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). +For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). ## Troubleshooting diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index 8fa731dc2a..83cc19c6e9 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -26,16 +26,13 @@ ms.topic: article You can use Group Policy settings or mobile device management (MDM) to configure the behavior of Windows Update (WU) on your Windows 10 devices. You can configure the update detection frequency, select when updates are received, specify the update service location and more. ->[!IMPORTANT] ->In Windows 10, any Group Policy user configuration settings for Windows Update are no longer supported on this platform. - ## Summary of Windows Update settings | Group Policy setting | MDM setting | Supported from version | | --- | --- | --- | | [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) | [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | All | | [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) | [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | 1703 | -| [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) | | All | +| [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) | [Update/SetDisableUXWUAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess)| All | | [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) | | All | | [Enable client-side targeting](#enable-client-side-targeting) | | All | | [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All | diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index 2b3ffca049..c8f3eba453 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -3,7 +3,7 @@ title: Windows Autopilot requirements ms.reviewer: manager: laurawi description: See the requirements you need to run Windows Autopilot in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, Autopilot, ztd, zero-touch, partner, msfb, intune ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium @@ -27,7 +27,7 @@ ms.custom: Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met. > [!NOTE] -> For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot). +> For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsAutopilot). ## Software requirements @@ -50,7 +50,12 @@ Windows Autopilot depends on a variety of internet-based services. Access to the - Ensure DNS name resolution for internet DNS names. - Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP). -In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to allow access to the required services. For additional details about each of these services and their specific requirements, review the following details: +In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to allow access to the required services. + +> [!NOTE] +> Smart card and certificate based authentication are not supported during OOBE. For more information, see [Smartcards and certificate-based authentication](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan#smartcards-and-certificate-based-authentication). + +For additional details about each of these services and their specific requirements, review the following details:
    ServiceInformation
    Windows Autopilot Deployment ServiceAfter a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 version 1903 and above, the following URLs are used: https://ztd.dds.microsoft.com, https://cs.dds.microsoft.com.
    @@ -61,11 +66,11 @@ In environments that have more restrictive Internet access, or for those that re
    IntuneOnce authenticated, Azure Active Directory will trigger enrollment of the device into the Intune MDM service. See the following link for details about network communication requirements: Intune network configuration requirements and bandwidth.
    Windows UpdateDuring the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. If there are problems connecting to Windows Update, see How to solve connection problems concerning Windows Update or Microsoft Update.
    -If Windows Update is inaccessible, the AutoPilot process will still continue but critical updates will not be available. +If Windows Update is inaccessible, the Autopilot process will still continue but critical updates will not be available.
    Delivery OptimizationWhen downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
    -If the Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer). +If the Delivery Optimization Service is inaccessible, the Autopilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer).
    Network Time Protocol (NTP) SyncWhen a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate. Ensure that UDP port 123 to time.windows.com is accessible.
    Domain Name Services (DNS)To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP.  This DNS server must be able to resolve internet names. @@ -80,11 +85,11 @@ If diagnostic data cannot be sent, the Autopilot process will still continue, bu If the WNS services are not available, the Autopilot process will still continue without notifications.
    Microsoft Store, Microsoft Store for BusinessApps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM).  App updates and additional apps may also be needed when the user first logs in. For more information, see Prerequisites for Microsoft Store for Business and Education (also includes Azure AD and Windows Notification Services).
    -If the Microsoft Store is not accessible, the AutoPilot process will still continue without Microsoft Store apps. +If the Microsoft Store is not accessible, the Autopilot process will still continue without Microsoft Store apps.
    Office 365As part of the Intune device configuration, installation of Microsoft 365 Apps for enterprise may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above).
    Certificate revocation lists (CRLs)Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains. -
    Hybrid AAD joinThe device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode +
    Hybrid AAD joinThe device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode
    Autopilot Self-Deploying mode and Autopilot White GloveFirmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips (including devices from any other manufacturer) come with these certificates preinstalled. See TPM recommendations for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested:
    Intel- https://ekop.intel.com/ekcertservice @@ -95,15 +100,15 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti ## Licensing requirements -Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs: +Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs. To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required: -- [Microsoft 365 Business Premium subscriptions](https://www.microsoft.com/microsoft-365/business). -- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/microsoft-365/enterprise/firstline). -- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/education/buy-license/microsoft365/default.aspx). -- [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune). -- [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features. -- [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features. +- [Microsoft 365 Business Premium subscription](https://www.microsoft.com/microsoft-365/business). +- [Microsoft 365 F1 or F3 subscription](https://www.microsoft.com/microsoft-365/enterprise/firstline). +- [Microsoft 365 Academic A1, A3, or A5 subscription](https://www.microsoft.com/education/buy-license/microsoft365/default.aspx). +- [Microsoft 365 Enterprise E3 or E5 subscription](https://www.microsoft.com/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune). +- [Enterprise Mobility + Security E3 or E5 subscription](https://www.microsoft.com/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features. +- [Intune for Education subscription](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features. - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/cloud-platform/microsoft-intune) (or an alternative MDM service). > [!NOTE] @@ -124,9 +129,9 @@ Before Windows Autopilot can be used, some configuration tasks are required to s Specific scenarios will then have additional requirements. Generally, there are two specific tasks: - Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details. -- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information. +- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-Autopilot#create-an-Autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-Autopilot#assign-an-Autopilot-deployment-profile-to-a-device-group) for more information. -See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details. +See [Windows Autopilot Scenarios](windows-Autopilot-scenarios.md) for additional details. For a walkthrough for some of these and related steps, see this video: @@ -138,4 +143,4 @@ There are no additional hardware requirements to use Windows 10 Autopilot, beyon ## Related topics -[Configure Autopilot deployment](https://docs.microsoft.com/windows/deployment/windows-autopilot/) +[Configure Autopilot deployment](https://docs.microsoft.com/windows/deployment/windows-Autopilot/) diff --git a/windows/privacy/data-processor-service-for-windows-public-preview-terms.md b/windows/privacy/data-processor-service-for-windows-public-preview-terms.md new file mode 100644 index 0000000000..190bf05309 --- /dev/null +++ b/windows/privacy/data-processor-service-for-windows-public-preview-terms.md @@ -0,0 +1,170 @@ +--- +title: Data processor service for Windows public preview terms +description: Use this article to understand Windows public preview terms of service. +keywords: privacy, GDPR +ms.localizationpriority: high +ROBOTS: NOINDEX, NOFOLLOW +ms.prod: w10 +ms.topic: article +f1.keywords: +- NOCSH +ms.author: daniha +author: DaniHalfin +manager: dansimp +audience: itpro +ms.collection: +- GDPR +- M365-security-compliance +--- + +# Data processor service for Windows public preview terms + +**These terms (“Terms”) must be read and accepted by a tenant admin with appropriate access rights and authority. By participating in this public preview, you: (a) agree to the following Terms, and (b) represent and warrant that you have such rights and authority.** + +These Terms govern your use of the preview described below (“**Preview**”). In order to access the Preview, you must be a current Microsoft Windows customer with an Azure Active Directory (“**AAD**”) subscription. The Preview consists of features and services that are in preview, beta, or other pre-release form for use with Windows and AAD. + + 1. **Definitions**. The following terms have the following meanings: + + 1. "**Customer Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through your use of Windows or AAD. + + 2. "**Feedback**" means, collectively, suggestions, comments, feedback, ideas, or know-how, in any form, that you or your users provide to Microsoft about Microsoft’s business, products, or services. + + 3. "**Personal Data**" means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. + + 4. "**Preview Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through use of the Services. + + 5. "**Subprocessor**" means other processors used by Microsoft to process Personal Data. + +2. **Scope of Services**. The Preview is for a service that enables organizations to become controllers of Windows diagnostic data on supported versions of Windows, with Microsoft operating as processor of the data (collectively, the “**_Services_**”). You will collaborate with Microsoft in order to provide Microsoft the ability to enable the Services for you. To access the Services, you will need to configure participating Windows devices; Microsoft will assist you in such configuration via documentation or other communications. + +3. **Intellectual Property**. + + 1. **License Grant**. During the term of this Preview (“**Term**”), Microsoft grants you and authorized users in your tenant for Windows a non-exclusive, non-transferable, non-sublicensable right and license to access and use the Services in accordance with these Terms. + + 2. **Use Terms**. These Terms supersede any Microsoft terms and conditions or other agreement. You acknowledge that (i) the Services may not work correctly or in the manner that a commercial service may function; Microsoft may change the Services for the final, commercial version or choose not to release a commercial version; (ii) Microsoft may not provide support for the Services; (iii) the Online Services Terms (OST), including any obligations Microsoft may have regarding Customer Data, do not apply to the Services or Preview Data; (iv) Microsoft has no obligation to hold, export, or return Preview Data, except as described in these Terms; (v) Microsoft has no liability for the deletion of Preview Data, except as described in these Terms; and (vi) you may lose access to the Services and Preview Data after the Term. + + 3. **Acceptable Use**. Neither you, nor those that access the Services through you, may: (a) use the Services: (i) in a way prohibited by law, regulation, governmental order or decree; (ii) to violate the rights of others; (iii) to try to gain unauthorized access to or disrupt any service, device, data, account or network; (iv) to spam or distribute malware; or (v) in a way that could harm the Services or impair anyone else’s use of it; or (b) reverse engineer, decompile, disassemble, or work around any technical limitations in the Services, or use the Services to create a competing product. You are responsible for responding to any third-party request regarding your use of the Services or Preview Data, such as a request to take down Preview Data under the U.S. Digital Millennium Copyright Act or other applicable laws. + + 4. **Data Collection, Use and Location**. The Microsoft Privacy Statement https://privacy.microsoft.com/privacystatement applies to the collection, use and location of Preview Data. In the event of a conflict between Privacy Statement and the terms of these Terms, the terms of these Terms will control. + +4. **Confidentiality**. The following confidentiality terms apply to the Preview: + + 1. During the Term plus 5 years, the parties will hold in strictest confidence and not use or disclose to any third party any Confidential Information of the other party. “Confidential Information” means all non-public information a party designates in writing or orally as being confidential, or which under the circumstances of disclosure ought to be treated as confidential. Confidential Information includes information relating to:

    + 1. a party’s released or unreleased software or hardware products;

    + 2. a party’s source code;

    + 3. a party’s product marketing or promotion;

    + 4. a party’s business policies or practices;

    + 5. a party’s customers or suppliers;

    + 6. information received from others that a party must treat as confidential; and

    + 7. information provided, obtained, or created by a party under these Terms, including: + * information in reports; + * the parties’ electronic or written correspondence, customer lists and customer information, regardless of source; + * Personal Data; and + * Transactional, sales, and marketing information. + + 2. A party will consult with the other if it questions what comprises Confidential Information. Confidential Information excludes information (i) known to a party before the disclosing party’s disclosure to the receiving party, (ii) information publicly available through no fault of the receiving party, (iii) received from a third party without breach of an obligation owed to the disclosing party, or (iv) independently developed by a party without reference to or use of the disclosing party’s Confidential Information. + + 3. Each party will employ security procedures to prevent disclosure of the other party’s Confidential Information to unauthorized third parties. The receiving party’s security procedures must include risk assessment and controls for:

    + 1. system access;

    + 2. system and application development and maintenance;

    + 3. change management;

    + 4. asset classification and control;

    + 5. incident response, physical and environmental security;

    + 6. disaster recovery/business continuity; and

    + 7. employee training. + +5. **Data Protection.** + + **Generally**. To the extent Microsoft is a processor of Personal Data, the General Data Protection Regulation (GDPR) Terms in Appendix 1 govern that processing and the parties also agree to the following terms: + + 1. Processing Details: The parties agree that: + * The subject-matter of the processing is limited to Personal Data within the scope of the GDPR; + * The duration of the processing shall be for the duration of your right to use the Services and until all Personal Data is deleted or returned in accordance with your instructions or these Terms; + * The nature and purpose of the processing shall be to provide the Services pursuant to these Terms; + * The types of Personal Data processed by the Services include those expressly identified in Article 4 of the GDPR to the extent included by Preview Data; and + * The categories of data subjects are your representatives and end users, such as employees, contractors, collaborators, and customers. + + 2. Data Transfers: + * Preview Data and Personal Data that Microsoft processes on your behalf may be transferred to, and stored and processed in, the United States or any other country in which Microsoft or its Subprocessors operate. You appoint Microsoft to perform any such transfer of Preview Data and Personal Data to any such country and to store and process Preview Data and Personal Data to provide the Services. + * Microsoft will abide by the requirements of European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area and Switzerland. All transfers of Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR. + * In addition, Microsoft is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and the commitments they entail. Microsoft agrees to notify you in the event that it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield principles. + +6. **No Support or Incident Response.** Microsoft will have no obligation under these Terms to correct any bugs, defects or errors in the Services or AAD, provide any updates, upgrades or new releases, or otherwise provide any technical support or maintenance for any Services or AAD. You will make reasonable efforts to promptly report to Microsoft any defects you find in the Services, as an aid to creating improved revisions of the Services. Microsoft will have no obligation under these Terms to provide you with incident response as part of the Services. + +7. **Term and Termination.** The term of the Preview begins when you accept these Terms and continues until: (a) either party terminates this Preview by providing the other party: (i) 2 days’ notice for any reason (or no reason), or (ii) notice of such party’s breach of these Terms and such party fails to cure within 15 days, or (b) upon the general availability of the Services. When the Term ends, you will no longer have access to the Services, and Microsoft will no longer have the rights to access Customer Data granted herein. Each party will, on request, return or destroy the other’s Confidential Information provided under the Preview. + +8. **Feedback.** Providing Feedback is voluntary. Microsoft is under no obligation to post or use any Feedback. By providing Feedback to Microsoft, you (and anyone providing Feedback through your use of the Preview) irrevocably and perpetually grant to Microsoft and its affiliates, under all of its (and their) owned or controlled intellectual property rights, a worldwide, non-exclusive, fully paid-up, royalty-free, transferable, sub-licensable right and license to make, use, reproduce, prepare derivative works based upon, distribute, publicly perform, publicly display, transmit, and otherwise commercialize the Feedback (including by combining or interfacing products, services or technologies that depend on or incorporate Feedback with other products, services or technologies of Microsoft or others), without attribution in any way and for any purpose. You warrant that (a) you will not provide Feedback that is subject to a license requiring Microsoft to license anything to third parties because Microsoft exercises any of the above rights in your Feedback; and (b) you own or otherwise control all of the rights to such Feedback and that no such Feedback is subject to any third-party rights (including any personality or publicity rights). + +9. **Representations and Warranties; Limitation of Liability.** + + 1. **By the Parties.** Each party represents and warrants to the other party that (a) it has all necessary rights, title, and authority to enter into and perform under these Terms; (b) its performance under these Terms will not breach any agreement with a third party; and (c) it will comply with any and all laws, rules, and regulations that are applicable to its performance under these Terms. + + 2. **Disclaimer.** EXCEPT AS OTHERWISE PROVIDED IN THESE TERMS AND TO THE EXTENT APPLICABLE LAW PERMITS, MICROSOFT (a) PROVIDES THE SERVICES AS-IS; (b) PROVIDES NO WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE; AND (c) DOES NOT GUARANTEE THAT THE SERVICES WILL BE AVAILABLE, UNINTERRUPTED, OR ERROR-FREE, OR THAT LOSS OF PREVIEW DATA WILL NOT OCCUR. + + 3. **Limitation of Liability.** Except as otherwise described in this Section 9, the only remedy either party has for claims relating to these Terms or participation in the Preview is to terminate these Terms or your participation in the Preview. NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR ANY DAMAGES, INCLUDING DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, OR DAMAGES FOR LOST REVENUE, LOST PROFIT, LOST BUSINESS INFORMATION, OR BUSINESS INTERRUPTION, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES. The limitations in this Section 9 do not apply to claims arising from any breach of confidentiality obligations under Section 4. + +10. **General.** + + 1. **Non-Exclusivity.** These Terms are nonexclusive. These Terms do not restrict either party from entering into the same or similar arrangement with any third party. + + 2. **Jurisdiction and Governing Law.** The laws of the State of Washington, excluding conflicts of law provisions, govern these Terms. If federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the federal courts in King County, Washington. If no federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the Superior Court of King County, Washington. + + 3. **Force Majeure.** A party will not be liable for failure to perform an obligation under these Terms to the extent that failure is due to a cause beyond that party’s reasonable control, including natural disaster, war, civil disturbance, or governmental action. + + 4. **Attorneys’ fees.** If a party employs attorneys to enforce any rights arising out of or relating to these Terms, the prevailing party will be entitled to recover its reasonable attorneys’ fees, costs, and other expenses. + + 5. **Assignment**. You may not assign these Terms or delegate any of your rights or obligations under these Terms to a third party without Microsoft’s prior written consent. + + 6. **Entire Agreement.** These Terms are the entire agreement between the parties regarding its subject matter and replaces all prior agreements, communications, and representations between the parties regarding its subject matter. + + 7. **Survival.** Sections 3.b, 4, 7 (with respect to post-termination obligations), and 8-10 will survive these Terms’ expiration or termination.

    + +

    + Appendix 1: GDPR Terms
    + +For purposes of these GDPR Terms, you and Microsoft agree that you are the controller of Personal Data and Microsoft is the processor of such data, except when you act as a processor of Personal Data, in which case Microsoft is a subprocessor. These GDPR Terms apply to the processing of Personal Data, within the scope of the GDPR, by Microsoft on your behalf. These GDPR Terms do not limit or reduce any data protection commitments Microsoft makes to you in other agreement between Microsoft and you. These GDPR Terms do not apply where Microsoft is a controller of Personal Data. + +**Relevant GDPR Obligations: Articles 28, 32, and 33** + +1. Microsoft shall not engage another processor without prior specific or your general written authorization. In the case of general written authorization, Microsoft shall inform you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes. (Article 28(2)) +2. Processing by Microsoft shall be governed by these GDPR Terms under European Union (hereafter “Union”) or Member State law and are binding on Microsoft with regard to you. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and your obligations and rights are set forth in the Terms above, including these GDPR Terms. In particular, Microsoft shall: + + 1. process the Personal Data only on your documented instructions, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Microsoft is subject; in such a case, Microsoft shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; + + 2. ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; + + 3. take all measures required pursuant to Article 32 of the GDPR; + + 4. respect the conditions referred to in paragraphs 1 and 3 for engaging another processor; + + 5. taking into account the nature of the processing, assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR; + + 6. assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Microsoft; + + 7. at your choice, delete or return all the Personal Data to you after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data; + + 8. make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you. + + 9. immediately inform you if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. (Article 28(3)) + +3. Where Microsoft engages another processor for carrying out specific processing activities on your behalf, the same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil its data protection obligations, Microsoft shall remain fully liable to you for the performance of that other processor's obligations. (Article 28(4)) + +4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, you and Microsoft shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: + + 1. the pseudonymisation and encryption of Personal Data; + + 2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; + + 3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and + + 4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (Article 32(1)) + +5. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. (Article 32(2)) + +6. You and Microsoft shall take steps to ensure that any natural person acting under your authority or Microsoft’s who has access to Personal Data does not process them except on instructions from you, unless he or she is required to do so by Union or Member State law. (Article 32(4)) + +7. Microsoft shall notify you without undue delay after becoming aware of a personal data breach. (Article 33(2)). Such notification will include that information a processor must provide to a controller under Article 33(3) to the extent such information is reasonably available to Microsoft. + + + + \ No newline at end of file diff --git a/windows/privacy/deploy-data-processor-service-windows.md b/windows/privacy/deploy-data-processor-service-windows.md new file mode 100644 index 0000000000..b7fbf5e044 --- /dev/null +++ b/windows/privacy/deploy-data-processor-service-windows.md @@ -0,0 +1,96 @@ +--- +title: Technical Deployment of the data processor service for Windows +description: Use this article to understand how to deploy and manage the data processor service for Windows. +keywords: privacy, GDPR +ms.localizationpriority: high +ROBOTS: NOINDEX, NOFOLLOW +ms.prod: w10 +ms.topic: article +f1.keywords: +- NOCSH +ms.author: daniha +author: DaniHalfin +manager: dansimp +audience: itpro +ms.collection: +- GDPR +- M365-security-compliance +--- + +# Data processor service for Windows Overview + +>[!NOTE] +>This topic is intended for participants in the data processor service for Windows preview program and requires acceptance of specific terms of use. To learn +more about the program and agree to the terms of use, see [https://aka.ms/dpswpublicpreview](https://aka.ms/dpswpublicpreview). + +The privacy landscape keeps evolving, and with it, we make changes to our services to meet our customers’ needs. +The data processor service for Windows empowers you to be in control of diagnostic data from Windows devices, and act as data controllers for that data, under the definition of the European Union General Data Protection Regulation (GDPR). + +The data processor service for Windows will serve as a foundation for other Microsoft services that use Windows diagnostic data. + +The data processor service for Windows offering enables you to store and manage your Windows diagnostic data in the cloud, on top of an end-to-end data platform designed and built with compliance in mind, to help you meet your compliance obligations. +Your data is routed and stored inside an enterprise compliance boundary, operating under a prescriptive and focused set of compliance requirements, in accordance with industry standards. + +The data processor service for Windows provides you with controls that help respond to delete data subject requests (DSRs) on diagnostic data, at user account closure, for a specific Azure AD User ID. Additionally, you’re able to execute an export DSR for a specific Azure AD User ID. +Should you desire so, Microsoft will accommodate a data processor service for Windows tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for diagnostic data, but still wish to remain an Azure customer. + +>[!Note] +>Tenant account closure will lead to the deletion of all data associated with that tenant. + +## Deployment of data processor service for Windows +Use the instructions below to easily manage the data processor service for Windows using a single setting, through Group Policy, or an MDM solution, in Windows 10, version 1809 or Windows Server 2019 and newer. + +### Prerequisites +#### Versions supported +The data processor service for Windows is currently supported on Windows 10, version 1809, and newer versions. + +#### Network requirements +The following endpoints need to be reachable from devices enrolled into the data processor service for Windows: + + login.live.com + + cy2.vortex.data.microsoft.com.akadns.net + + v10.events.data.microsoft.com + + v10.vortex-win.data.microsoft.com/collect/v1 + +For additional information, see the “device authentication” and “diagnostic data” sections in the endpoint articles for each respective Windows version: + +[Windows 10, version 1809 endpoints](https://docs.microsoft.com/Windows/privacy/manage-Windows-1809-endpoints) + +[Windows 10, version 1903 endpoints](https://docs.microsoft.com/Windows/privacy/manage-Windows-1903-endpoints) + +### Deploying data processor service for Windows +You can use either Group Policy or an MDM solution to deploy the data processor service for Windows to your supported devices. + +In Group Policy, to enable data collection through the data processor service for Windows, go to **Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds** and switch the **Allow commercial data pipeline** setting to **enabled**. + +If you wish to disable, at any time, switch the same setting to **disabled**. The default state of the above setting is **disabled**. + +To use an MDM solution, such as [Microsoft Intune](https://docs.microsoft.com/intune/custom-settings-Windows-10), to deploy the data processor service for Windows to your supported devices, use the following custom OMA-URI setting configuration: + +- **Name:** System/AllowCommercialDataPipeline +- **OMA-URI:** ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline +- **Data type:** Integer + +Under **Value**, use **1** to enable the service. + +If you wish to disable, at any time, switch the same setting to **0** to disable. The default is **0**. + +>[!Note] +>Data collected from a device, before it was enrolled into the data processor service for Windows, will not be moved into the enterprise compliance boundary. + +## Managing data processor service for Windows +### Executing user-based data subject requests (DSRs) +To perform user-based DSRs, the data processor service for Windows requires your organization to be reflected in Azure AD. + +If your environment is cloud-only and managed in Azure, or all your devices are Azure AD joined - you don’t need to take any further action. + +If your environment uses on-premises Active Directory to manage identities - Azure AD Connect synchronization is required, and your environment needs to be configured for hybrid Azure AD join. +To learn more, visit [How To: Plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) and [Azure AD Connect sync: Understand and customize synchronization](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-whatis). + +Once you have Azure AD join or hybrid Azure AD join in place, you can learn more about executing user-based DSRs, by visiting this [page](https://review.docs.microsoft.com/microsoft-365/compliance/gdpr-dsr-windows?branch=siosulli-wps&view=o365-worldwide). + +## Geo-location +Windows Diagnostic Data collected through the data processor service for Windows is hosted in our datacenter in the United States. \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index a51e3b166f..d4c919784d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -19,10 +19,10 @@ ms.reviewer: # Prepare and Deploy Windows Server 2016 Active Directory Federation Services **Applies to** -- Windows 10, version 1703 or later -- On-premises deployment -- Certificate trust +- Windows 10, version 1703 or later +- On-premises deployment +- Certificate trust Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. @@ -36,7 +36,20 @@ Ensure you apply the Windows Server 2016 Update to all nodes in the farm after y A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with an external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. -Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. +Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. + +> [!NOTE] +>For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: +> +> 1. Launch AD FS management console. Brose to "Services > Scope Descriptions". +> 2. Right click "Scope Descriptions" and select "Add Scope Description". +> 3. Under name type "ugs" and Click Apply > OK. +> 4. Launch Powershell as Administrator. +> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier. +> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'. +> 7. Restart the ADFS service. +> 8. On the client: Restart the client. User should be prompted to provision WHFB. +> 9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot. ## Update Windows Server 2016 @@ -52,19 +65,21 @@ Sign-in the federation server with _local admin_ equivalent credentials. Windows Hello for Business on-premises deployments require a federation server for device registration, key registration, and authentication certificate enrollment. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity. The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm: -* Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS) -* Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com) -* Subject Alternate Name: Your device registration service name, such as *enterpriseregistration.contoso.com* + +- Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS) +- Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com) +- Subject Alternate Name: Your device registration service name, such as *enterpriseregistration.contoso.com* You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com. You can; however, issue one certificate for all hosts in the farm. If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. -It’s recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. +It’s recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. Be sure to enroll or import the certificate into the AD FS server’s computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. ### Internal Web Server Authentication Certificate Enrollment + Sign-in the federation server with domain administrator equivalent credentials. 1. Start the Local Computer **Certificate Manager** (certlm.msc). @@ -83,10 +98,11 @@ A server authentication certificate should appear in the computer’s Personal c ## Deploy the Active Directory Federation Service Role -The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments. -* Device registration -* Key registration -* Certificate registration authority (certificate trust deployments) +The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments: + +- Device registration +- Key registration +- Certificate registration authority (certificate trust deployments) >[!IMPORTANT] > Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. @@ -94,6 +110,7 @@ The Active Directory Federation Service (AD FS) role provides the following serv Windows Hello for Business depends on proper device registration. For on-premises deployments, Windows Server 2016 AD FS handles device registration. Sign-in the federation server with _Enterprise Admin_ equivalent credentials. + 1. Start **Server Manager**. Click **Local Server** in the navigation pane. 2. Click **Manage** and then click **Add Roles and Features**. 3. Click **Next** on the **Before you begin** page. @@ -107,12 +124,13 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. ## Review Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm the AD FS farm uses the correct database configuration. -* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load. -* Confirm **all** AD FS servers in the farm have the latest updates. -* Confirm all AD FS servers have a valid server authentication certificate - * The subject of the certificate is the common name (FQDN) of the host or a wildcard name. - * The alternate name of the certificate contains a wildcard or the FQDN of the federation service + +- Confirm the AD FS farm uses the correct database configuration. +- Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load. +- Confirm **all** AD FS servers in the farm have the latest updates. +- Confirm all AD FS servers have a valid server authentication certificate. + - The subject of the certificate is the common name (FQDN) of the host or a wildcard name. + - The alternate name of the certificate contains a wildcard or the FQDN of the federation service. ## Device Registration Service Account Prerequisite @@ -130,8 +148,9 @@ GMSA uses the Microsoft Key Distribution Service that is located on Windows Serv #### Create KDS Root Key Sign-in a domain controller with _Enterprise Admin_ equivalent credentials. + 1. Start an elevated Windows PowerShell console. -2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)` +2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)`. ### Windows Server 2008 or 2008 R2 Domain Controllers @@ -140,6 +159,7 @@ Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key #### Create an AD FS Service Account Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. + 1. Open **Active Directory Users and Computers**. 2. Right-click the **Users** container, Click **New**. Click **User**. 3. In the **New Object – User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**. @@ -241,12 +261,12 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. Th ## Review Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you followed the correct procedures based on the domain controllers used in your deployment +* Confirm you followed the correct procedures based on the domain controllers used in your deployment. * Windows Server 2012 or Windows Server 2012 R2 * Windows Server 2008 or Windows Server 2008 R2 * Confirm you have the correct service account based on your domain controller version. * Confirm you properly installed the AD FS role on your Windows Server 2016 based on the proper sizing of your federation, the number of relying parties, and database needs. -* Confirm you used a certificate with the correct names as the server authentication certificate +* Confirm you used a certificate with the correct names as the server authentication certificate. * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: * Certificate serial number * Certificate thumbprint @@ -282,8 +302,8 @@ Sign-in a certificate authority or management workstations with _domain administ 5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. 6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. ->[!NOTE] -> The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. + > [!NOTE] + > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. 8. On the **Security** tab, click **Add**. @@ -316,11 +336,12 @@ Sign-in a certificate authority or management workstations with _domain administ 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. 5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment. + > [!NOTE] + > If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment. 6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. 8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. - * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. + Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. 9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. 10. On the **Request Handling** tab, select the **Renew with same key** check box. 11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. @@ -332,7 +353,7 @@ Sign-in a certificate authority or management workstations with _domain administ Sign-in to an **AD FS Windows Server 2016** computer with _enterprise administrator_ equivalent credentials. 1. Open an elevated command prompt. -2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` +2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`. >[!NOTE] >If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. @@ -369,14 +390,14 @@ Approximately 60 days prior to enrollment agent certificate’s expiration, the ### Service Connection Point (SCP) in Active Directory for ADFS Device Registration Service > [!NOTE] -> Normally this script is not needed, as enabling Device Registration via the ADFS Management console already creates the objects. You can validate the SCP using the script below. For detailed information about the Device Registration Service, see [Configuring Device Registration](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614658(v=ws.11)?redirectedfrom=MSDN) +> Normally this script is not needed, as enabling Device Registration via the ADFS Management console already creates the objects. You can validate the SCP using the script below. For detailed information about the Device Registration Service, see [Configuring Device Registration](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614658(v=ws.11)?redirectedfrom=MSDN). Now you will add the Service connection Point to ADFS device registration Service for your Active directory by running the following script: > [!TIP] > Make sure to change the $enrollmentService and $configNC variables before running the script. -```Powershell +```powershell # Replace this with your Device Registration Service endpoint $enrollmentService = "enterpriseregistration.contoso.com" # Replace this with your Active Directory configuration naming context @@ -420,8 +441,8 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. 5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. 6. On the **Select server roles** page, click **Next**. 7. Select **Network Load Balancing** on the **Select features** page. -8. Click **Install** to start the feature installation - ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) +8. Click **Install** to start the feature installation. + ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) ### Configure Network Load Balancing for AD FS @@ -457,7 +478,7 @@ Sign-in the domain controller or administrative workstation with domain administ 3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. 4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. 5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. -6. Close the DNS Management console +6. Close the DNS Management console. ## Configure the Intranet Zone to include the federation service @@ -465,10 +486,10 @@ The Windows Hello provisioning presents web pages from the federation service. ### Create an Intranet Zone Group Policy -Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials -1. Start the **Group Policy Management Console** (gpmc.msc) +Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials: +1. Start the **Group Policy Management Console** (gpmc.msc). 2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New** +3. Right-click **Group Policy object** and select **New**. 4. Type **Intranet Zone Settings** in the name box and click **OK**. 5. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and click **Edit**. 6. In the navigation pane, expand **Policies** under **Computer Configuration**. @@ -478,7 +499,7 @@ Sign-in the domain controller or administrative workstation with _Domain Admin_ ### Deploy the Intranet Zone Group Policy object -1. Start the **Group Policy Management Console** (gpmc.msc) +1. Start the **Group Policy Management Console** (gpmc.msc). 2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** 3. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. @@ -490,8 +511,8 @@ Before you continue with the deployment, validate your deployment progress by re * Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance. * Confirm you properly configured the Windows Hello for Business authentication certificate template—to include: * Issuance requirements of an authorized signature from a certificate request agent. - * The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe - * The Windows Hello for Business Users group, or equivalent has the allow enroll permissions + * The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe. + * The Windows Hello for Business Users group, or equivalent has the allow enroll permissions. * Confirm all certificate templates were properly published to the appropriate issuing certificate authorities. * Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template. * Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet. @@ -511,7 +532,7 @@ You need to verify the AD FS service has properly enrolled for an enrollment age ### Event Logs -Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show +Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show: * The account name under which the certificate was enrolled. * The action, which should read enroll. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index f3b86a3536..6e1445768e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -24,9 +24,9 @@ ms.reviewer: - Certificate trust -The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the **Updating the Schema** and **Create the KeyCredential Admins Security Global Group** steps. +The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the **Updating the Schema** and **Create the KeyCredential Admins Security Global Group** steps. -Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. +Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. ## Discovering schema role diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index cf63fb2c17..e5ebf54b09 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -57,12 +57,12 @@ To do this, follow the **Configure device settings** steps under [Setting up Azu Azure Active Directory is now configured for device registration. Next, you need to configure the on-premises Active Directory to support synchronizing hybrid Azure AD joined devices. Begin with upgrading the Active Directory Schema -### Upgrading Active Directory to the Windows Server 2016 Schema +### Upgrading Active Directory to the Windows Server 2016 or later Schema -To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016. +To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016 or later. > [!IMPORTANT] -> If you already have a Windows Server 2016 domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 Schema** (this section). +> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 or later Schema** (this section). #### Identify the schema role domain controller @@ -78,7 +78,7 @@ The command should return the name of the domain controller where you need to ru Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory. -Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. +Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index addf977d26..09d9929b85 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -39,7 +39,7 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. Different deployment configurations are supported by different Azure subscriptions. The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature. Other deployments, such as the hybrid key-trust deployment, may not require Azure Active Directory premium subscription. -Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers. Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory schema. +Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers. Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory or later schema. Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs. @@ -49,7 +49,7 @@ Review these requirements and those from the Windows Hello for Business planning > * Active Directory Domain Functional Level > * Active Directory Forest Functional Level > * Domain Controller version -> * Windows Server 2016 Schema +> * Windows Server 2016 or later Schema > * Azure Active Directory subscription > * Correct subscription for desired features and outcomes diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 328c9513bf..00c8e2e6f2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -19,12 +19,14 @@ ms.reviewer: # Configure Windows Hello for Business: Active Directory Federation Services **Applies to** -- Windows 10, version 1703 or later -- Hybrid deployment -- Certificate trust + +- Windows 10, version 1703 or later +- Hybrid deployment +- Certificate trust ## Federation Services -The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. + +The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. @@ -45,7 +47,6 @@ Sign-in the AD FS server with *Domain Admin* equivalent credentials. >[!NOTE] > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the preceding command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. - ### Group Memberships for the AD FS Service Account The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. @@ -57,13 +58,27 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 1. Open **Active Directory Users and Computers**. 2. Click the **Users** container in the navigation pane. -3. Right-click **Windows Hello for Business Users** group -4. Click the **Members** tab and click **Add** +3. Right-click **Windows Hello for Business Users** group. +4. Click the **Members** tab and click **Add**. 5. In the **Enter the object names to select** text box, type **adfssvc** or substitute the name of the AD FS service account in your AD FS deployment. Click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. 7. Restart the AD FS server. +> [!NOTE] +>For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: +> +> 1. Launch AD FS management console. Browse to "Services > Scope Descriptions". +> 2. Right click "Scope Descriptions" and select "Add Scope Description". +> 3. Under name type "ugs" and Click Apply > OK. +> 4. Launch Powershell as Administrator. +> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier. +> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'. +> 7. Restart the ADFS service. +> 8. On the client: Restart the client. User should be prompted to provision WHFB. +> 9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot. + ### Section Review + > [!div class="checklist"] > * Configure the registration authority. > * Update group memberships for the AD FS service account. diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 3e982143da..a5a6d5a9a2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -52,7 +52,7 @@ The table shows the minimum requirements for each deployment. For key trust in a | Key trust
    Group Policy managed | Certificate trust
    Mixed managed | Key trust
    Modern managed | Certificate trust
    Modern managed | | --- | --- | --- | --- | | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
    *Minimum:* Windows 10, version 1703
    *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).
    **Azure AD Joined:**
    Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later | -| Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | +| Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level | | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index 93ca09aa2f..cb6105c66b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -30,7 +30,7 @@ Key trust deployments need an adequate number of 2016 or later domain controller > [!NOTE] >There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue. -The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. +The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. ## Create the Windows Hello for Business Users Security Global Group diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 9369ea8370..c3acaa98e3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -88,7 +88,7 @@ A deployment's trust type defines how each Windows Hello for Business client aut The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. -The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. +The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. > [!NOTE] > RDP does not support authentication with Windows Hello for Business key trust deployments. RDP is only supported with certificate trust deployments at this time. diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 26a7658ef1..822f7a9985 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -63,7 +63,8 @@ The following list provides examples of specific events that will cause BitLocke - Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs. - Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change. - >**Note:**  Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different. + > [!NOTE] + > Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different. - Moving the BitLocker-protected drive into a new computer. - Upgrading the motherboard to a new one with a new TPM. @@ -72,18 +73,21 @@ The following list provides examples of specific events that will cause BitLocke - Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode. - Changing the usage authorization for the storage root key of the TPM to a non-zero value. - >**Note:**  The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value. + > [!NOTE] + > The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value. - Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr). - Pressing the F8 or F10 key during the boot process. - Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards. - Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive. ->**Note:**  Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components. +> [!NOTE] +> Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components. For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key. ->**Note:**  If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool. +> [!NOTE] +> If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool. If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method. @@ -106,7 +110,8 @@ Before you create a thorough BitLocker recovery process, we recommend that you t 2. At the command prompt, type the following command and then press ENTER: `manage-bde. -ComputerName -forcerecovery ` -> **Note:**  Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx). + > [!NOTE] + > Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx). ## Planning your recovery process @@ -142,7 +147,8 @@ If the user does not have a recovery password in a printout or on a USB flash dr In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS). Select the **Do not enable BitLocker until recovery information is stored in AD DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. ->**Note:**  If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required. +> [!NOTE] +> If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required. The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory. @@ -182,7 +188,8 @@ Before you give the user the recovery password, you should gather any informatio Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password. ->**Note:**  Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors. +> [!NOTE] +> Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors. ### Post-recovery analysis @@ -217,7 +224,8 @@ After you have identified what caused recovery, you can reset BitLocker protecti The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately. ->**Note:**  You can perform a BitLocker validation profile reset by suspending and resuming BitLocker. +> [!NOTE] +> You can perform a BitLocker validation profile reset by suspending and resuming BitLocker. - [Unknown PIN](#bkmk-unknownpin) - [Lost startup key](#bkmk-loststartup) @@ -253,6 +261,153 @@ This error might occur if you updated the firmware. As a best practice you shoul Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. + +## BitLocker recovery screen + +During BitLocker recovery, Windows can display a custom recovery message and hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery. + +### Custom recovery message + +BitLocker Group Policy settings in Windows 10, version 1511, let you confiure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. + +This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**. + +It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP: +*./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage* + +![Custom URL](./images/bl-intune-custom-url.png) + +Example of customized recovery screen: + +![Customized BitLocker Recovery Screen](./images/bl-password-hint1.png) + + + +### BitLocker recovery key hints + +BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume’s recovery key. Hints are displayed on the recovery screen and refer to the location where key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen. + +![Customized BitLocker recovery screen](./images/bl-password-hint2.png) + +> [!IMPORTANT] +> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account. + + +There are rules governing which hint is shown during the recovery (in order of processing): + +1. Always display custom recovery message if it has been configured (using GPO or MDM). +2. Always display generic hint: "For more information, go to https://aka.ms/recoverykeyfaq." +3. If multiple recovery keys exist on the volume, prioritize the last created (and successfully backed up) recovery key. +4. Prioritize keys with successful backup over keys that have never been backed up. +5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**. +6. If a key has been printed and saved to file, display a combined hint, “Look for a printout or a text file with the key,” instead of two separate hints. +7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed up date. +8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organization’s help desk,” will be displayed. +9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system will ask for a key that has been backed up, even if another key is newer. + + +#### Example 1 (single recovery key with single backup) + +| Custom URL | Yes | +|----------------------|------------| +| Saved to Microsoft Account | Yes | +| Saved to Azure AD | No | +| Saved to Active Directory | No | +| Printed | No | +| Saved to file | No | + +**Result:** The hint for the Microsoft Account and custom URL are displayed. + +![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.PNG) + +#### Example 2 (single recovery key with single backup) + +| Custom URL | Yes | +|----------------------|------------| +| Saved to Microsoft Account | No | +| Saved to Azure AD | No | +| Saved to Active Directory | Yes | +| Printed | No | +| Saved to file | No | + +**Result:** Only the custom URL is displayed. + +![Example 2 of customized BitLocker recovery screen](./images/rp-example2.PNG) + +#### Example 3 (single recovery key with multiple backups) + +| Custom URL | No | +|----------------------|------------| +| Saved to Microsoft Account | Yes | +| Saved to Azure AD | Yes | +| Saved to Active Directory | No | +| Printed | Yes | +| Saved to file | Yes | + +**Result:** Only the Microsoft Account hint is displayed. + +![Example 3 of customized BitLocker recovery screen](./images/rp-example3.PNG) + +#### Example 4 (multiple recovery passwords) + +| Custom URL | No | +|----------------------|-----------------| +| Saved to Microsoft Account | No | +| Saved to Azure AD | No | +| Saved to Acive Directory | No | +| Printed | No | +| Saved to file | Yes | +| Creation time | **1PM** | +| Key ID | A564F193 | + +  +  + +| Custom URL | No | +|----------------------|-----------------| +| Saved to Microsoft Account | No | +| Saved to Azure AD | No | +| Saved to Active Directory | No | +| Printed | No | +| Saved to file | No | +| Creation time | **3PM** | +| Key ID | T4521ER5 | + +**Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key. + +![Example 4 of customized BitLocker recovery screen](./images/rp-example4.PNG) + + +#### Example 5 (multiple recovery passwords) + +| Custom URL | No | +|----------------------|-----------------| +| Saved to Microsoft Account | Yes | +| Saved to Azure AD | Yes | +| Saved to Active Directory | No | +| Printed | No | +| Saved to file | No | +| Creation time | **1PM** | +| Key ID | 99631A34 | + +  +  + +| Custom URL | No | +|----------------------|-----------------| +| Saved to Microsoft Account | No | +| Saved to Azure AD | Yes | +| Saved to Active Directory | No | +| Printed | No | +| Saved to file | No | +| Creation time | **3PM** | +| Key ID | 9DF70931 | + +**Result:** The hint for the most recent key is displayed. + +![Example 5 of customized BitLocker recovery screen](./images/rp-example5.PNG) + + ## Using additional recovery information Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used. @@ -261,7 +416,8 @@ Besides the 48-digit BitLocker recovery password, other types of recovery inform If the recovery methods discussed earlier in this document do not unlock the volume, you can use the BitLocker Repair tool to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. You can then use this recovered data to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. We recommend that you still save the recovery password. A key package cannot be used without the corresponding recovery password. ->**Note:**  You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package. +> [!NOTE] +> You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package. The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc). @@ -299,7 +455,8 @@ You can reset the recovery password in two ways: ```powershell Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} ``` - >**Warning:**  You must include the braces in the ID string. + > [!WARNING] + > You must include the braces in the ID string. **To run the sample recovery password script** @@ -308,9 +465,11 @@ You can reset the recovery password in two ways: **cscript ResetPassword.vbs** -> **Important:** This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset. -> -> **Note:**  To manage a remote computer, you can specify the remote computer name rather than the local computer name. + > [!IMPORTANT] + > This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset. + +> [!NOTE] +> To manage a remote computer, you can specify the remote computer name rather than the local computer name. You can use the following sample script to create a VBScript file to reset the recovery passwords. diff --git a/windows/security/information-protection/bitlocker/images/bl-intune-custom-url.png b/windows/security/information-protection/bitlocker/images/bl-intune-custom-url.png new file mode 100644 index 0000000000..a563d3153f Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/bl-intune-custom-url.png differ diff --git a/windows/security/information-protection/bitlocker/images/bl-password-hint1.png b/windows/security/information-protection/bitlocker/images/bl-password-hint1.png new file mode 100644 index 0000000000..864e84c6e9 Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/bl-password-hint1.png differ diff --git a/windows/security/information-protection/bitlocker/images/bl-password-hint2.png b/windows/security/information-protection/bitlocker/images/bl-password-hint2.png new file mode 100644 index 0000000000..01a5f08c42 Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/bl-password-hint2.png differ diff --git a/windows/security/information-protection/bitlocker/images/rp-example1.PNG b/windows/security/information-protection/bitlocker/images/rp-example1.PNG new file mode 100644 index 0000000000..1c9b7bc560 Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/rp-example1.PNG differ diff --git a/windows/security/information-protection/bitlocker/images/rp-example2.PNG b/windows/security/information-protection/bitlocker/images/rp-example2.PNG new file mode 100644 index 0000000000..eee52f9c54 Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/rp-example2.PNG differ diff --git a/windows/security/information-protection/bitlocker/images/rp-example3.PNG b/windows/security/information-protection/bitlocker/images/rp-example3.PNG new file mode 100644 index 0000000000..ed1158c2a1 Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/rp-example3.PNG differ diff --git a/windows/security/information-protection/bitlocker/images/rp-example4.PNG b/windows/security/information-protection/bitlocker/images/rp-example4.PNG new file mode 100644 index 0000000000..8cd88812bc Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/rp-example4.PNG differ diff --git a/windows/security/information-protection/bitlocker/images/rp-example5.PNG b/windows/security/information-protection/bitlocker/images/rp-example5.PNG new file mode 100644 index 0000000000..7a588bdd67 Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/rp-example5.PNG differ diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index f1097f3829..c5bd8c7fbb 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -20,17 +20,25 @@ ### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md) ### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md) +## [Migration guides]() +### [Migrate from Symantec to Microsoft Defender ATP]() +#### [Get an overview of migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md) +#### [Prepare for your migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md) +#### [Set up Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md) +#### [Onboard to Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md) + ## [Security administration]() ### [Threat & Vulnerability Management]() #### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) #### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md) #### [Dashboard insights](microsoft-defender-atp/tvm-dashboard-insights.md) #### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) -#### [Configuration score](microsoft-defender-atp/configuration-score.md) +#### [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md) #### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md) #### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md) #### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md) #### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md) +#### [Event timeline](microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md) #### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md) ### [Attack surface reduction]() @@ -211,6 +219,7 @@ ##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md) ##### [Set preferences](microsoft-defender-atp/mac-preferences.md) ##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md) +##### [Schedule scans](microsoft-defender-atp/mac-schedule-scan-atp.md) #### [Troubleshoot]() ##### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md) @@ -434,7 +443,11 @@ #### [Rules]() ##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md) -##### [Manage indicators](microsoft-defender-atp/manage-indicators.md) +##### [Create indicators](microsoft-defender-atp/manage-indicators.md) +###### [Create indicators for files](microsoft-defender-atp/indicator-file.md) +###### [Create indicators for IPs and URLs/domains](microsoft-defender-atp/indicator-ip-domain.md) +###### [Create indicators for certificates](microsoft-defender-atp/indicator-certificates.md) +###### [Manage indicators](microsoft-defender-atp/indicator-manage.md) ##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md) ##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md) @@ -575,7 +588,6 @@ ###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md) ###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md) - #### [Raw data streaming API]() ##### [Raw data streaming](microsoft-defender-atp/raw-data-export.md) ##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md) @@ -589,7 +601,6 @@ ##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md) ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) ##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md) - #### [Partners & APIs]() ##### [Partner applications](microsoft-defender-atp/partner-applications.md) diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md index 27a1d4a933..0c95144cb1 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md @@ -31,7 +31,7 @@ This subcategory contains events about issued TGSs and failed TGS requests. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.

    IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
    We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. | +| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.

    IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see our [***Security Monitoring Recommendations***](https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events).

    We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. | | Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | | Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | @@ -42,4 +42,3 @@ This subcategory contains events about issued TGSs and failed TGS requests. - [4770](event-4770.md)(S): A Kerberos service ticket was renewed. - [4773](event-4773.md)(F): A Kerberos service ticket request failed. - diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 7b43d6901d..7bc3af8993 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -27,7 +27,11 @@ Microsoft maintains an active commitment to meeting the requirements of the FIPS ## Using Windows in a FIPS 140-2 approved mode of operation -Windows 10 and Windows server may be configured to run in a FIPS 140-2 approved mode of operation. This is commonly referred to as “FIPS mode.” Achieving this mode of operation requires administrators to complete all four steps outlined below. +Windows 10 and Windows Server may be configured to run in a FIPS 140-2 approved mode of operation. This is commonly referred to as “FIPS mode.”  When this mode is enabled, the Cryptographic Primitives Library (bcryptprimitives.dll) and Kernel Mode Cryptographic Primitives Library (CNG.sys) modules will run self-tests before Windows cryptographic operations are run. These self-tests are run in accordance with FIPS 140-2 Section 4.9 and are utilized to ensure that the modules are functioning properly. The Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library are the only modules affected by this mode of operation. The FIPS 140-2 approved mode of operation will not prevent Windows and its subsystems from using non-FIPS validated cryptographic algorithms. For applications or components beyond the Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library, FIPS mode is merely advisory. +  +While US government regulations continue to mandate that FIPS mode be enabled on government computers running Windows, our recommendation is that it is each customer’s decision to make when considering enabling FIPS mode. There are many applications and protocols that look to the FIPS mode policy to determine which cryptographic functionality should be utilized in a given solution. We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it is operating in FIPS 140-2 approved mode.  +  +Achieving this FIPS 140-2 approved mode of operation of Windows requires administrators to complete all four steps outlined below. ### Step 1: Ensure FIPS 140-2 validated cryptographic modules are installed @@ -75,6 +79,10 @@ These are two separate security standards with different, but complementary, pur Suite B is a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed by the FIPS 140-2 standard. +### Is SMB3 (Server Message Block) FIPS 140 compliant in Windows? + +When Windows is configured to operate in FIPS 140 approved mode on both client and server, SMB3 is FIPS 140 compliant and relies on the underlying Windows FIPS 140 validated cryptographic modules for cryptographic operations.  + ## Microsoft FIPS 140-2 validated cryptographic modules The following tables identify the cryptographic modules used in an operating system, organized by release. @@ -7182,6 +7190,9 @@ Version 6.3.9600
    +## Contact + +fips@microsoft.com ## References diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 45f76a991a..3d52254721 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,7 +1,7 @@ --- title: Threat Protection (Windows 10) description: Learn how Microsoft Defender ATP helps protect against threats. -keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, configuration score, advanced hunting, cyber threat hunting, web threat protection +keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -54,7 +54,7 @@ This built-in capability uses a game-changing risk-based approach to the discove - [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md) - [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md) - [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) -- [Configuration score](microsoft-defender-atp/configuration-score.md) +- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md) - [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md) - [Remediation](microsoft-defender-atp/tvm-remediation.md) - [Software inventory](microsoft-defender-atp/tvm-software-inventory.md) @@ -111,12 +111,11 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft -**[Configuration Score](microsoft-defender-atp/configuration-score.md)**
    ->[!NOTE] -> Secure score is now part of [Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) as [Configuration score](microsoft-defender-atp/configuration-score.md). +**[Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)**
    -Microsoft Defender ATP includes a configuration score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. -- [Configuration score](microsoft-defender-atp/configuration-score.md) +Microsoft Defender ATP includes a Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. + +- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md) - [Threat analytics](microsoft-defender-atp/threat-analytics.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md index e366bb2066..840b26d06e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 06/10/2020 +ms.date: 06/29/2020 ms.reviewer: manager: dansimp --- @@ -38,7 +38,7 @@ On at least two devices that are experiencing the same issue, obtain the .cab di 2. Navigate to the Microsoft Defender directory. By default, this is `C:\Program Files\Windows Defender`. > [!NOTE] -> If you're running an updated Microsoft Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\`. +> If you're running an [updated Microsoft Defender Platform version](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform), please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\`. 3. Type the following command, and then press **Enter** diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md index 029173c6e9..f441fe1064 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md @@ -54,7 +54,7 @@ Because your protection is a cloud service, computers must have access to the in | :--: | :-- | :-- | | Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
    `*.wdcpalt.microsoft.com`
    `*.wd.microsoft.com`| | Microsoft Update Service (MU)
    Windows Update Service (WU)| Security intelligence and product updates |`*.update.microsoft.com`
    `*.delivery.mp.microsoft.com`
    `*.windowsupdate.com`
    for details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)| -|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`| +|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`
    `*.download.windowsupdate.com`
    `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`| | Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
    `ussus1westprod.blob.core.windows.net`
    `usseu1northprod.blob.core.windows.net`
    `usseu1westprod.blob.core.windows.net`
    `ussuk1southprod.blob.core.windows.net`
    `ussuk1westprod.blob.core.windows.net`
    `ussas1eastprod.blob.core.windows.net`
    `ussas1southeastprod.blob.core.windows.net`
    `ussau1eastprod.blob.core.windows.net`
    `ussau1southeastprod.blob.core.windows.net` | | Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
    `https://www.microsoft.com/pkiops/certs`
    `https://crl.microsoft.com/pki/crl/products`
    `https://www.microsoft.com/pki/certs` | | Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | @@ -121,6 +121,6 @@ You will also see a detection under **Quarantined threats** in the **Scan histor - [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) -- [Run an Microsoft Defender Antivirus scan from the command line](command-line-arguments-microsoft-defender-antivirus.md) and [Command line arguments](command-line-arguments-microsoft-defender-antivirus.md) +- [Command line arguments](command-line-arguments-microsoft-defender-antivirus.md) - [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md index 66adf9c4d6..59e059aeb5 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md @@ -54,7 +54,7 @@ You can disable the automatic exclusion lists with Group Policy, PowerShell cmdl ### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and 2019 -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). Right-click the Group Policy Object you want to configure, and then click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**. @@ -72,18 +72,18 @@ Set-MpPreference -DisableAutoExclusions $true [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md). -[Use PowerShell with Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/powershell/windows/defender/index). +[Use PowerShell with Microsoft Defender Antivirus](https://docs.microsoft.com/powershell/module/defender/). ### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and 2019 -Use the **Set** method of the [MSFT_MpPreference](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the **Set** method of the [MSFT_MpPreference](https://docs.microsoft.com/previous-versions/windows/desktop/defender/msft-mppreference) class for the following properties: ```WMI DisableAutoExclusions ``` See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal) ## List of automatic exclusions @@ -95,110 +95,110 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r #### Windows "temp.edb" files -- *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb +- `%windir%\SoftwareDistribution\Datastore\*\tmp.edb` -- *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log +- `%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log` #### Windows Update files or Automatic Update files -- *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb +- `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb` -- *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk +- `%windir%\SoftwareDistribution\Datastore\*\edb.chk` -- *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log +- `%windir%\SoftwareDistribution\Datastore\*\edb\*.log` -- *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs +- `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs` -- *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log +- `%windir%\SoftwareDistribution\Datastore\*\Res\*.log` #### Windows Security files -- *%windir%*\Security\database\\*.chk +- `%windir%\Security\database\*.chk` -- *%windir%*\Security\database\\*.edb +- `%windir%\Security\database\*.edb` -- *%windir%*\Security\database\\*.jrs +- `%windir%\Security\database\*.jrs` -- *%windir%*\Security\database\\*.log +- `%windir%\Security\database\*.log` -- *%windir%*\Security\database\\*.sdb +- `%windir%\Security\database\*.sdb` #### Group Policy files -- *%allusersprofile%*\NTUser.pol +- `%allusersprofile%\NTUser.pol` -- *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol +- `%SystemRoot%\System32\GroupPolicy\Machine\registry.pol` -- *%SystemRoot%*\System32\GroupPolicy\User\registry.pol +- `%SystemRoot%\System32\GroupPolicy\User\registry.pol` #### WINS files -- *%systemroot%*\System32\Wins\\*\\\*.chk +- `%systemroot%\System32\Wins\*\*.chk` -- *%systemroot%*\System32\Wins\\*\\\*.log +- `%systemroot%\System32\Wins\*\*.log` -- *%systemroot%*\System32\Wins\\*\\\*.mdb +- `%systemroot%\System32\Wins\*\*.mdb` -- *%systemroot%*\System32\LogFiles\ +- `%systemroot%\System32\LogFiles\` -- *%systemroot%*\SysWow64\LogFiles\ +- `%systemroot%\SysWow64\LogFiles\` #### File Replication Service (FRS) exclusions - Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory` - - *%windir%*\Ntfrs\jet\sys\\*\edb.chk + - `%windir%\Ntfrs\jet\sys\*\edb.chk` - - *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb + - `%windir%\Ntfrs\jet\*\Ntfrs.jdb` - - *%windir%*\Ntfrs\jet\log\\*\\\*.log + - `%windir%\Ntfrs\jet\log\*\*.log` -- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory` +- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ntfrs\Parameters\DB Log File Directory` - - *%windir%*\Ntfrs\\*\Edb\*.log + - `%windir%\Ntfrs\*\Edb\*.log` -- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage` +- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage` - - *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\ + - `%systemroot%\Sysvol\*\Nntfrs_cmp*\` - The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory` - - *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\ + - `%systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*\Ntfrs*\` -- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File` +- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File` > [!NOTE] - > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus#opt-out-of-automatic-exclusions). + > For custom locations, see [Opt out of automatic exclusions](#opt-out-of-automatic-exclusions). - - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$ + - `%systemdrive%\System Volume Information\DFSR\$db_normal$` - - *%systemdrive%*\System Volume Information\DFSR\FileIDTable_* + - `%systemdrive%\System Volume Information\DFSR\FileIDTable_*` - - *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_* + - `%systemdrive%\System Volume Information\DFSR\SimilarityTable_*` - - *%systemdrive%*\System Volume Information\DFSR\\*.XML + - `%systemdrive%\System Volume Information\DFSR\*.XML` - - *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$ + - `%systemdrive%\System Volume Information\DFSR\$db_dirty$` - - *%systemdrive%*\System Volume Information\DFSR\\$db_clean$ + - `%systemdrive%\System Volume Information\DFSR\$db_clean$` - - *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$ + - `%systemdrive%\System Volume Information\DFSR\$db_lostl$` - - *%systemdrive%*\System Volume Information\DFSR\Dfsr.db + - `%systemdrive%\System Volume Information\DFSR\Dfsr.db` - - *%systemdrive%*\System Volume Information\DFSR\\*.frx + - `%systemdrive%\System Volume Information\DFSR\*.frx` - - *%systemdrive%*\System Volume Information\DFSR\\*.log + - `%systemdrive%\System Volume Information\DFSR\*.log` - - *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs + - `%systemdrive%\System Volume Information\DFSR\Fsr*.jrs` - - *%systemdrive%*\System Volume Information\DFSR\Tmp.edb + - `%systemdrive%\System Volume Information\DFSR\Tmp.edb` #### Process exclusions -- *%systemroot%*\System32\dfsr.exe +- `%systemroot%\System32\dfsr.exe` -- *%systemroot%*\System32\dfsrs.exe +- `%systemroot%\System32\dfsrs.exe` #### Hyper-V exclusions @@ -206,59 +206,59 @@ This section lists the file type exclusions, folder exclusions, and process excl - File type exclusions: - - *.vhd + - `*.vhd` - - *.vhdx + - `*.vhdx` - - *.avhd + - `*.avhd` - - *.avhdx + - `*.avhdx` - - *.vsv + - `*.vsv` - - *.iso + - `*.iso` - - *.rct + - `*.rct` - - *.vmcx + - `*.vmcx` - - *.vmrs + - `*.vmrs` - Folder exclusions: - - *%ProgramData%*\Microsoft\Windows\Hyper-V + - `%ProgramData%\Microsoft\Windows\Hyper-V` - - *%ProgramFiles%*\Hyper-V + - `%ProgramFiles%\Hyper-V` - - *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots + - `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots` - - *%Public%*\Documents\Hyper-V\Virtual Hard Disks + - `%Public%\Documents\Hyper-V\Virtual Hard Disks` - Process exclusions: - - *%systemroot%*\System32\Vmms.exe + - `%systemroot%\System32\Vmms.exe` - - *%systemroot%*\System32\Vmwp.exe + - `%systemroot%\System32\Vmwp.exe` #### SYSVOL files -- *%systemroot%*\Sysvol\Domain\\*.adm +- `%systemroot%\Sysvol\Domain\*.adm` -- *%systemroot%*\Sysvol\Domain\\*.admx +- `%systemroot%\Sysvol\Domain\*.admx` -- *%systemroot%*\Sysvol\Domain\\*.adml +- `%systemroot%\Sysvol\Domain\*.adml` -- *%systemroot%*\Sysvol\Domain\Registry.pol +- `%systemroot%\Sysvol\Domain\Registry.pol` -- *%systemroot%*\Sysvol\Domain\\*.aas +- `%systemroot%\Sysvol\Domain\*.aas` -- *%systemroot%*\Sysvol\Domain\\*.inf +- `%systemroot%\Sysvol\Domain\*.inf` -- *%systemroot%*\Sysvol\Domain\\*.Scripts.ini +- `%systemroot%\Sysvol\Domain\*.Scripts.ini` -- *%systemroot%*\Sysvol\Domain\\*.ins +- `%systemroot%\Sysvol\Domain\*.ins` -- *%systemroot%*\Sysvol\Domain\Oscfilter.ini +- `%systemroot%\Sysvol\Domain\Oscfilter.ini` ### Active Directory exclusions @@ -268,51 +268,51 @@ This section lists the exclusions that are delivered automatically when you inst The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File` -- %windir%\Ntds\ntds.dit +- `%windir%\Ntds\ntds.dit` -- %windir%\Ntds\ntds.pat +- `%windir%\Ntds\ntds.pat` #### The AD DS transaction log files The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path` -- %windir%\Ntds\EDB*.log +- `%windir%\Ntds\EDB*.log` -- %windir%\Ntds\Res*.log +- `%windir%\Ntds\Res*.log` -- %windir%\Ntds\Edb*.jrs +- `%windir%\Ntds\Edb*.jrs` -- %windir%\Ntds\Ntds*.pat +- `%windir%\Ntds\Ntds*.pat` -- %windir%\Ntds\TEMP.edb +- `%windir%\Ntds\TEMP.edb` #### The NTDS working folder This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory` -- %windir%\Ntds\Temp.edb +- `%windir%\Ntds\Temp.edb` -- %windir%\Ntds\Edb.chk +- `%windir%\Ntds\Edb.chk` #### Process exclusions for AD DS and AD DS-related support files -- %systemroot%\System32\ntfrs.exe +- `%systemroot%\System32\ntfrs.exe` -- %systemroot%\System32\lsass.exe +- `%systemroot%\System32\lsass.exe` ### DHCP Server exclusions This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters` -- *%systemroot%*\System32\DHCP\\*\\\*.mdb +- `%systemroot%\System32\DHCP\*\*.mdb` -- *%systemroot%*\System32\DHCP\\*\\\*.pat +- `%systemroot%\System32\DHCP\*\*.pat` -- *%systemroot%*\System32\DHCP\\*\\\*.log +- `%systemroot%\System32\DHCP\*\*.log` -- *%systemroot%*\System32\DHCP\\*\\\*.chk +- `%systemroot%\System32\DHCP\*\*.chk` -- *%systemroot%*\System32\DHCP\\*\\\*.edb +- `%systemroot%\System32\DHCP\*\*.edb` ### DNS Server exclusions @@ -320,27 +320,27 @@ This section lists the file and folder exclusions and the process exclusions tha #### File and folder exclusions for the DNS Server role -- *%systemroot%*\System32\Dns\\*\\\*.log +- `%systemroot%\System32\Dns\*\*.log` -- *%systemroot%*\System32\Dns\\*\\\*.dns +- `%systemroot%\System32\Dns\*\*.dns` -- *%systemroot%*\System32\Dns\\*\\\*.scc +- `%systemroot%\System32\Dns\*\*.scc` -- *%systemroot%*\System32\Dns\\*\BOOT +- `%systemroot%\System32\Dns\*\BOOT` #### Process exclusions for the DNS Server role -- *%systemroot%*\System32\dns.exe +- `%systemroot%\System32\dns.exe` ### File and Storage Services exclusions This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role. -- *%SystemDrive%*\ClusterStorage +- `%SystemDrive%\ClusterStorage` -- *%clusterserviceaccount%*\Local Settings\Temp +- `%clusterserviceaccount%\Local Settings\Temp` -- *%SystemDrive%*\mscs +- `%SystemDrive%\mscs` ### Print Server exclusions @@ -348,19 +348,19 @@ This section lists the file type exclusions, folder exclusions, and the process #### File type exclusions -- *.shd +- `*.shd` -- *.spl +- `*.spl` #### Folder exclusions This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory` -- *%system32%*\spool\printers\\* +- `%system32%\spool\printers\*` #### Process exclusions -- spoolsv.exe +- `spoolsv.exe` ### Web Server exclusions @@ -368,35 +368,35 @@ This section lists the folder exclusions and the process exclusions that are del #### Folder exclusions -- *%SystemRoot%*\IIS Temporary Compressed Files +- `%SystemRoot%\IIS Temporary Compressed Files` -- *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files +- `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files` -- *%SystemDrive%*\inetpub\temp\ASP Compiled Templates +- `%SystemDrive%\inetpub\temp\ASP Compiled Templates` -- *%systemDrive%*\inetpub\logs +- `%systemDrive%\inetpub\logs` -- *%systemDrive%*\inetpub\wwwroot +- `%systemDrive%\inetpub\wwwroot` #### Process exclusions -- *%SystemRoot%*\system32\inetsrv\w3wp.exe +- `%SystemRoot%\system32\inetsrv\w3wp.exe` -- *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe +- `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe` -- *%SystemDrive%*\PHP5433\php-cgi.exe +- `%SystemDrive%\PHP5433\php-cgi.exe` ### Windows Server Update Services exclusions This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup` -- *%systemroot%*\WSUS\WSUSContent +- `%systemroot%\WSUS\WSUSContent` -- *%systemroot%*\WSUS\UpdateServicesDBFiles +- `%systemroot%\WSUS\UpdateServicesDBFiles` -- *%systemroot%*\SoftwareDistribution\Datastore +- `%systemroot%\SoftwareDistribution\Datastore` -- *%systemroot%*\SoftwareDistribution\Download +- `%systemroot%\SoftwareDistribution\Download` ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 3345190e01..40994831c4 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -13,7 +13,7 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen audience: ITPro -ms.date: 02/12/2020 +ms.date: ms.reviewer: manager: dansimp --- @@ -25,6 +25,9 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge) +> [!NOTE] +> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might not be be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. + Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. For example: diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md index b71b5b24ba..58e3fd0a6f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md @@ -58,7 +58,7 @@ There are five locations where you can specify where an endpoint should obtain u To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads. > [!IMPORTANT] -> If you have set [Microsoft Malware Protection Center Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) (MMPC) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is 14 consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services). +> If you have set [Microsoft Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is seven consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services). > You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).

    > Starting Monday, October 21, 2019, security intelligence updates will be SHA-2 signed exclusively. Devices must be updated to support SHA-2 in order to get the latest security intelligence updates. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 07b211d997..1c06747e7f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -84,7 +84,7 @@ If you are enrolled in Microsoft Defender ATP and you are using a third party an When Microsoft Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. -In passive and automatic disabled mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. +In passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. If you uninstall the other product, and choose to use Microsoft Defender Antivirus to provide protection to your endpoints, Microsoft Defender Antivirus will automatically return to its normal active mode. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md index a1ed7741c5..51cc0fbe72 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md @@ -32,8 +32,8 @@ Although you can use a non-Microsoft antivirus solution with Microsoft Defender | |Advantage |Why it matters | |--|--|--| -|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). | -|2|Threat analytics and your configuration score |Microsoft Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [configuration score](../microsoft-defender-atp/configuration-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | +|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Microsoft Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). | +|2|Threat analytics and your score for devices |Microsoft Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [Microsoft Secure Score for Devices](../microsoft-defender-atp/tvm-microsoft-secure-score-devices.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | |3|Performance |Microsoft Defender ATP is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).| |4|Details about blocked malware |More details and actions for blocked malware are available with Microsoft Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).| |5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).| diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md index 41857037ef..0b1624d685 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/12/2019 --- # DeviceTvmSecureConfigurationAssessment diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md index 9381ed9722..a50f7b4988 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/12/2019 --- # DeviceTvmSecureConfigurationAssessmentKB diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md index 50afa668fd..6e83ac102d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/12/2019 --- # DeviceTvmSoftwareInventoryVulnerabilities diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md index 255fb53dc3..aa46c9d8a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/12/2019 --- # DeviceTvmSoftwareVulnerabilitiesKB diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md index 7ea09555f6..182bb5e356 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md @@ -29,7 +29,7 @@ Directory enables enforcing Device compliance and Conditional Access policies based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune. -For more infomation on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and +For more information on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android). @@ -43,8 +43,8 @@ Microsoft Defender ATP for Android enables admins to configure custom indicators ## Configure web protection Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center. -For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). +For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android). ## Related topics - [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) -- [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md) \ No newline at end of file +- [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md index 79ac88b90c..cb62aaa586 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md @@ -136,7 +136,7 @@ Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) . As Microsoft Defender ATP for Android is deployed via managed Google Play, updates to the app are automatic via Google Play. -Currently only Work Profile, Fully Managed devices are supported for deployment. +Currently only Work Profile enrolled devices are supported for deployment. >[!NOTE] @@ -265,7 +265,7 @@ assignment. ## Complete onboarding and check status 1. Confirm the installation status of Microsoft Defender ATP for Android by -clicking on the **Device Install Status**. Verif that the device is +clicking on the **Device Install Status**. Verify that the device is displayed here. ![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md index 33f344c34b..83e2b43c79 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md @@ -39,7 +39,15 @@ Ensure that you have the right RBAC permissions to configure your Threat & Vulne >- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup). ## Related topics -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) -- [Configuration score](configuration-score.md) + +- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) +- [Supported operating systems and platforms](tvm-supported-os.md) +- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) +- [Exposure score](tvm-exposure-score.md) +- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) +- [Security recommendations](tvm-security-recommendation.md) +- [Remediation and exception](tvm-remediation.md) +- [Software inventory](tvm-software-inventory.md) +- [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) +- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 642a65bde0..5066055f55 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -189,7 +189,7 @@ The following capabilities are included in this integration: - Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach. > [!IMPORTANT] -> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default. +> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created (in the US for US users, in the EU for European and UK users). > - If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. > - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created and the Microsoft Defender ATP data is stored in Europe by default. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers. diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-overview.png new file mode 100644 index 0000000000..138df35a03 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-overview.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase1.png b/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase1.png new file mode 100644 index 0000000000..1e9bb59266 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase1.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase2.png b/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase2.png new file mode 100644 index 0000000000..03e534bb18 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase3.png b/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase3.png new file mode 100644 index 0000000000..ec1325ab1d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase3.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bug-caution-icon2.png b/windows/security/threat-protection/microsoft-defender-atp/images/bug-caution-icon2.png new file mode 100644 index 0000000000..0da9ac0e88 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bug-caution-icon2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bug-lightning-icon2.png b/windows/security/threat-protection/microsoft-defender-atp/images/bug-lightning-icon2.png new file mode 100644 index 0000000000..36a6a2509c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bug-lightning-icon2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/event-insights-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/event-insights-page.png new file mode 100644 index 0000000000..7fe365f9a8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/event-insights-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/report-warning-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/report-warning-icon.png new file mode 100644 index 0000000000..b3e9f9a8ad Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/report-warning-icon.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta.png index 95ad384e50..42a386d71f 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ta.png and b/windows/security/threat-protection/microsoft-defender-atp/images/ta.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png index 1a142cd7ac..abcb32fb7b 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-black-bug-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-black-bug-icon.png new file mode 100644 index 0000000000..33cf4ffe61 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-black-bug-icon.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-dashboard-devices.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-dashboard-devices.png new file mode 100644 index 0000000000..65cd96fd91 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-dashboard-devices.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-dashboard-nav.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-dashboard-nav.png new file mode 100644 index 0000000000..e7193d83e8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-dashboard-nav.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-dates.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-dates.png new file mode 100644 index 0000000000..aa5fa7c554 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-dates.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-drilldown.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-drilldown.png new file mode 100644 index 0000000000..669e392d04 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-drilldown.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score.png new file mode 100644 index 0000000000..6892f9bcb0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score400.png new file mode 100644 index 0000000000..dd5df1eee4 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score400.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-flyout.png new file mode 100644 index 0000000000..f056931ef0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-flyout.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-flyout500.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-flyout500.png new file mode 100644 index 0000000000..3a7c5c709b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-flyout500.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-overview-mixed-type.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-overview-mixed-type.png new file mode 100644 index 0000000000..5ce64f30d1 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-overview-mixed-type.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-software-pages.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-software-pages.png new file mode 100644 index 0000000000..d129da0294 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-software-pages.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png index e42ff5b807..3b67159481 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-events-card.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-events-card.png new file mode 100644 index 0000000000..b4b6c0cb44 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-events-card.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md new file mode 100644 index 0000000000..e0233b7ae1 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md @@ -0,0 +1,72 @@ +--- +title: Create indicators based on certificates +ms.reviewer: +description: Create indicators based on certificates that define the detection, prevention, and exclusion of entities. +keywords: ioc, certificate, certificates, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Create indicators based on certificates (preview) + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) + +You can create indicators for certificates. Some common use cases include: + +- Scenarios when you need to deploy blocking technologies, such as [attack surface reduction rules](attack-surface-reduction.md) and [controlled folder access](controlled-folders.md) but need to allow behaviors from signed applications by adding the certificate in the allow list. +- Blocking the use of a specific signed application across your organization. By creating an indicator to block the certificate of the application, Windows Defender AV will prevent file executions (block and remediate) and the Automated Investigation and Remediation behave the same. + + +### Before you begin + +It's important to understand the following requirements prior to creating indicators for certificates: + +- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). +- The Antimalware client version must be 4.18.1901.x or later. +- Supported on machines on Windows 10, version 1703 or later. +- The virus and threat protection definitions must be up-to-date. +- This feature currently supports entering .CER or .PEM file extensions. + +>[!IMPORTANT] +> - A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities'). +>- The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported. +>- Microsoft signed certificates cannot be blocked. + +#### Create an indicator for certificates from the settings page: + +>[!IMPORTANT] +> It can take up to 3 hours to create and remove a certificate IoC. + +1. In the navigation pane, select **Settings** > **Indicators**. + +2. Select the **Certificate** tab. + +3. Select **Add indicator**. + +4. Specify the following details: + - Indicator - Specify the entity details and define the expiration of the indicator. + - Action - Specify the action to be taken and provide a description. + - Scope - Define the scope of the machine group. + +5. Review the details in the Summary tab, then click **Save**. + +## Related topics +- [Create indicators](manage-indicators.md) +- [Create indicators for files](indicator-file.md) +- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md) +- [Manage indicators](indicator-manage.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md new file mode 100644 index 0000000000..c3312ea5e8 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md @@ -0,0 +1,79 @@ +--- +title: Create indicators for files +ms.reviewer: +description: Create indicators for a file hash that define the detection, prevention, and exclusion of entities. +keywords: file, hash, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Create indicators for files + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) + +You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. + +There are two ways you can create indicators for files: +- By creating an indicator through the settings page +- By creating a contextual indicator using the add indicator button from the file details page + +### Before you begin +It's important to understand the following prerequisites prior to creating indicators for files: + +- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). +- The Antimalware client version must be 4.18.1901.x or later. +- Supported on machines on Windows 10, version 1703 or later. +- To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings. +- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. + +>[!IMPORTANT] +>- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action +>- Trusted signed files will be treated differently. Microsoft Defender ATP is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications. + + +>[!NOTE] +>Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. + +### Create an indicator for files from the settings page + +1. In the navigation pane, select **Settings** > **Indicators**. + +2. Select the **File hash** tab. + +3. Select **Add indicator**. + +4. Specify the following details: + - Indicator - Specify the entity details and define the expiration of the indicator. + - Action - Specify the action to be taken and provide a description. + - Scope - Define the scope of the machine group. + +5. Review the details in the Summary tab, then click **Save**. + +### Create a contextual indicator from the file details page +One of the options when taking [response actions on a file](respond-file-alerts.md) is adding an indicator for the file. + +When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it. + +Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue. + + +## Related topics +- [Create indicators](manage-indicators.md) +- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md) +- [Create indicators based on certificates](indicator-certificates.md) +- [Manage indicators](indicator-manage.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md new file mode 100644 index 0000000000..90e188b28e --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md @@ -0,0 +1,75 @@ +--- +title: Create indicators for IPs and URLs/domains +ms.reviewer: +description: Create indicators for IPs and URLs/domains that define the detection, prevention, and exclusion of entities. +keywords: ip, url, domain, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Create indicators for IPs and URLs/domains + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) + + +Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser. + +The threat intelligence data set for this has been managed by Microsoft. + +By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others. + +### Before you begin +It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains: +- URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md). +- The Antimalware client version must be 4.18.1906.x or later. +- Supported on machines on Windows 10, version 1709 or later. +- Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center > Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md). + + +>[!IMPORTANT] +> Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. +> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:
    +> NOTE: +>- IP is supported for all three protocols +>- Encrypted URLs (full path) can only be blocked on first party browsers +>- Encrypted URLS (FQDN only) can be blocked outside of first party browsers +>- Full URL path blocks can be applied on the domain level and all unencrypted URLs + +>[!NOTE] +>There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. + +### Create an indicator for IPs, URLs, or domains from the settings page + +1. In the navigation pane, select **Settings** > **Indicators**. + +2. Select the **IP addresses or URLs/Domains** tab. + +3. Select **Add indicator**. + +4. Specify the following details: + - Indicator - Specify the entity details and define the expiration of the indicator. + - Action - Specify the action to be taken and provide a description. + - Scope - Define the scope of the machine group. + +5. Review the details in the Summary tab, then click **Save**. + +## Related topics +- [Create indicators](manage-indicators.md) +- [Create indicators for files](indicator-file.md) +- [Create indicators based on certificates](indicator-certificates.md) +- [Manage indicators](indicator-manage.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md new file mode 100644 index 0000000000..2c3ba958b9 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md @@ -0,0 +1,70 @@ +--- +title: Manage indicators +ms.reviewer: +description: Manage indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities. +keywords: import, indicator, list, ioc, csv, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Manage indicators + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) + + +1. In the navigation pane, select **Settings** > **Indicators**. + +2. Select the tab of the entity type you'd like to manage. + +3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list. + +## Import a list of IoCs + +You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details. + +Download the sample CSV to know the supported column attributes. + +1. In the navigation pane, select **Settings** > **Indicators**. + +2. Select the tab of the entity type you'd like to import indicators for. + +3. Select **Import** > **Choose file**. + +4. Select **Import**. Do this for all the files you'd like to import. + +5. Select **Done**. + +The following table shows the supported parameters. + +Parameter | Type | Description +:---|:---|:--- +indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required** +indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required** +action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required** +title | String | Indicator alert title. **Required** +description | String | Description of the indicator. **Required** +expirationTime | DateTimeOffset | The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. **Optional** +severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional** +recommendedActions | String | TI indicator alert recommended actions. **Optional** +rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional** + +## Related topics +- [Create indicators](manage-indicators.md) +- [Create indicators for files](indicator-file.md) +- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md) +- [Create indicators based on certificates](indicator-certificates.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index 378fbbc6a0..709b03a5e2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -35,14 +35,15 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Ansibl Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version. +In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Please refer to the [Ansible documentation](https://docs.ansible.com/) for details. + - Ansible needs to be installed on at least on one computer (we will call it the master). - SSH must be configured for an administrator account between the master and all clients, and it is recommended be configured with public key authentication. - The following software must be installed on all clients: - curl - python-apt - - unzip -- All hosts must be listed in the following format in the `/etc/ansible/hosts` file: +- All hosts must be listed in the following format in the `/etc/ansible/hosts` or relevant file: ```bash [servers] @@ -79,55 +80,32 @@ Download the onboarding package from Microsoft Defender Security Center: ## Create Ansible YAML files -Create subtask or role files that contribute to an actual task. First create the `download_copy_blob.yml` file under the `/etc/ansible/roles` directory: +Create a subtask or role files that contribute to an playbook or task. -- Copy the onboarding package to all client devices: +- Create the onboarding task, `onboarding_setup.yml`: ```bash - - name: Copy the zip file - copy: - src: /root/WindowsDefenderATPOnboardingPackage.zip - dest: /root/WindowsDefenderATPOnboardingPackage.zip - owner: root - group: root - mode: '0644' + - name: Create MDATP directories + file: + path: /etc/opt/microsoft/mdatp/ + recurse: true + state: directory + mode: 0755 + owner: root + group: root - - name: Add Microsoft apt signing key - apt_key: - url: https://packages.microsoft.com/keys/microsoft.asc - state: present - when: ansible_os_family == "Debian" - ``` - -- Create the `setup.sh` script that operates on the onboarding file, in this example located in the `/root` directory: - - ```bash - #!/bin/bash - # We assume WindowsDefenderATPOnboardingPackage.zip is stored in /root - cd /root || exit 1 - # Unzip the archive and create the onboarding file - mkdir -p /etc/opt/microsoft/mdatp/ - unzip WindowsDefenderATPOnboardingPackage.zip - cp mdatp_onboard.json /etc/opt/microsoft/mdatp/mdatp_onboard.json - ``` - -- Create the onboarding task, `onboarding_setup.yml`, under the `/etc/ansible/roles` directory: - - ```bash - name: Register mdatp_onboard.json - stat: path=/etc/opt/microsoft/mdatp/mdatp_onboard.json + stat: + path: /etc/opt/microsoft/mdatp/mdatp_onboard.json register: mdatp_onboard - - name: Copy the setup script file - copy: - src: /root/setup.sh - dest: /root/setup.sh - owner: root - group: root - mode: '0744' - - - name: Run a script to create the onboarding file - script: /root/setup.sh + - name: Extract WindowsDefenderATPOnboardingPackage.zip into /etc/opt/microsoft/mdatp + unarchive: + src: WindowsDefenderATPOnboardingPackage.zip + dest: /etc/opt/microsoft/mdatp + mode: 0600 + owner: root + group: root when: not mdatp_onboard.stat.exists ``` @@ -150,6 +128,12 @@ Create subtask or role files that contribute to an actual task. First create the > In case of Oracle Linux, replace *[distro]* with “rhel”. ```bash + - name: Add Microsoft APT key + apt_key: + keyserver: https://packages.microsoft.com/ + id: BC528686B50D79E339D3721CEB3E94ADBE1229CF + when: ansible_os_family == "Debian" + - name: Add Microsoft apt repository for MDATP apt_repository: repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main @@ -158,12 +142,6 @@ Create subtask or role files that contribute to an actual task. First create the filename: microsoft-[channel].list when: ansible_os_family == "Debian" - - name: Add Microsoft APT key - apt_key: - keyserver: https://packages.microsoft.com/ - id: BC528686B50D79E339D3721CEB3E94ADBE1229CF - when: ansible_os_family == "Debian" - - name: Add Microsoft yum repository for MDATP yum_repository: name: packages-microsoft-com-prod-[channel] @@ -175,7 +153,7 @@ Create subtask or role files that contribute to an actual task. First create the when: ansible_os_family == "RedHat" ``` -- Create the actual install/uninstall YAML files under `/etc/ansible/playbooks`. +- Create the Ansible install and uninstall YAML files. - For apt-based distributions use the following YAML file: @@ -183,8 +161,7 @@ Create subtask or role files that contribute to an actual task. First create the $ cat install_mdatp.yml - hosts: servers tasks: - - include: ../roles/download_copy_blob.yml - - include: ../roles/setup_blob.yml + - include: ../roles/onboarding_setup.yml - include: ../roles/add_apt_repo.yml - apt: name: mdatp @@ -207,8 +184,7 @@ Create subtask or role files that contribute to an actual task. First create the $ cat install_mdatp_yum.yml - hosts: servers tasks: - - include: ../roles/download_copy_blob.yml - - include: ../roles/setup_blob.yml + - include: ../roles/onboarding_setup.yml - include: ../roles/add_yum_repo.yml - yum: name: mdatp @@ -227,7 +203,7 @@ Create subtask or role files that contribute to an actual task. First create the ## Deployment -Now run the tasks files under `/etc/ansible/playbooks/`. +Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory. - Installation: diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 3d93fef08d..ef1aa769a6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -33,7 +33,7 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Puppet ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version. + For a description of prerequisites and system requirements for the current software version, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md). In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Please refer to the [Puppet documentation](https://puppet.com/docs) for details. @@ -205,7 +205,7 @@ If the product is not healthy, the exit code (which can be checked through `echo ## Log installation issues -See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Log installation issues](linux-resources.md#log-installation-issues). ## Operating system upgrades diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md index a892d04701..22e71176b4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md @@ -69,26 +69,46 @@ There are several ways to uninstall Microsoft Defender ATP for Linux. If you are ## Configure from the command line -Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: +Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line. -|Group |Scenario |Command | -|-------------|-------------------------------------------|-----------------------------------------------------------------------| -|Configuration|Turn on/off real-time protection |`mdatp config real_time_protection --value [enabled|disabled]` | -|Configuration|Turn on/off cloud protection |`mdatp config cloud --value [enabled|disabled]` | -|Configuration|Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled|disabled]` | -|Configuration|Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission [enabled|disabled]` | -|Configuration|Turn on/off AV passive mode |`mdatp config passive-mode [enabled|disabled]` | -|Configuration|Turn on PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action block` | -|Configuration|Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action off` | -|Configuration|Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action audit` | -|Diagnostics |Change the log level |`mdatp log level set --level verbose [error|warning|info|verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create` | -|Health |Check the product's health |`mdatp health` | -|Protection |Scan a path |`mdatp scan custom --path [path]` | -|Protection |Do a quick scan |`mdatp scan quick` | -|Protection |Do a full scan |`mdatp scan full` | -|Protection |Cancel an ongoing on-demand scan |`mdatp scan cancel` | -|Protection |Request a security intelligence update |`mdatp definitions update` | +### Global options + +By default, the command-line tool outputs the result in human-readable format. In addition to this, the tool also supports outputting the result as JSON, which is useful for automation scenarios. To change the output to JSON, pass `--output json` to any of the below commands. + +### Supported commands + +The following table lists commands for some of the most common scenarios. Run `mdatp help` from the Terminal to view the full list of supported commands. + +|Group |Scenario |Command | +|----------------------|--------------------------------------------------------|-----------------------------------------------------------------------| +|Configuration |Turn on/off real-time protection |`mdatp config real-time-protection --value [enabled|disabled]` | +|Configuration |Turn on/off cloud protection |`mdatp config cloud --value [enabled|disabled]` | +|Configuration |Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled|disabled]` | +|Configuration |Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission [enabled|disabled]` | +|Configuration |Turn on/off AV passive mode |`mdatp config passive-mode [enabled|disabled]` | +|Configuration |Add/remove an antivirus exclusion for a file extension |`mdatp exclusion extension [add|remove] --name ` | +|Configuration |Add/remove an antivirus exclusion for a file |`mdatp exclusion file [add|remove] --path ` | +|Configuration |Add/remove an antivirus exclusion for a directory |`mdatp exclusion folder [add|remove] --path ` | +|Configuration |Add/remove an antivirus exclusion for a process |`mdatp exclusion process [add|remove] --path `
    `mdatp exclusion process [add|remove] --name ` | +|Configuration |List all antivirus exclusions |`mdatp exclusion list` | +|Configuration |Turn on PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action block` | +|Configuration |Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action off` | +|Configuration |Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action audit` | +|Diagnostics |Change the log level |`mdatp log level set --level verbose [error|warning|info|verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create` | +|Health |Check the product's health |`mdatp health` | +|Protection |Scan a path |`mdatp scan custom --path [path]` | +|Protection |Do a quick scan |`mdatp scan quick` | +|Protection |Do a full scan |`mdatp scan full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp scan cancel` | +|Protection |Request a security intelligence update |`mdatp definitions update` | +|Protection history |Print the full protection history |`mdatp threat list` | +|Protection history |Get threat details |`mdatp threat get --id ` | +|Quarantine management |List all quarantined files |`mdatp threat quarantine list` | +|Quarantine management |Remove all files from the quarantine |`mdatp threat quarantine remove-all` | +|Quarantine management |Add a file detected as a threat to the quarantine |`mdatp threat quarantine add --id ` | +|Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine add --id ` | +|Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine add --id ` | ## Microsoft Defender ATP portal information @@ -113,6 +133,7 @@ In the Microsoft Defender ATP portal, you'll see two categories of information: ### Known issues +- You might see "No sensor data, impaired communications" in the machine information page of the Microsoft Defender Security Center portal, even though the product is working as expected. We are working on addressing this issue. - Logged on users do not appear in the Microsoft Defender Security Center portal. - In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered: diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md index d774cafe00..f48ac979fd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md @@ -44,7 +44,7 @@ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https: The output from this command should be similar to: -``` +```bash OK https://x.cp.wd.microsoft.com/api/report OK https://cdn.x.cp.wd.microsoft.com/ping ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md index 8ffdc04ee8..d89a6593f9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md @@ -27,23 +27,26 @@ ms.topic: conceptual ## Verify if installation succeeded An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, one can obtain and check the installation logs using: -```bash -$ sudo journalctl | grep 'microsoft-mdatp' > installation.log -$ grep 'postinstall end' installation.log -microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216 -``` + ```bash + $ sudo journalctl | grep 'microsoft-mdatp' > installation.log + $ grep 'postinstall end' installation.log + + microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216 + ``` + An output from the previous command with correct date and time of installation indicates success. Also check the [Client configuration](linux-install-manually.md#client-configuration) to verify the health of the product and detect the EICAR text file. ## Installation failed -Check if the mdatp service is running -```bash -$ systemctl status mdatp +Check if the mdatp service is running: -● mdatp.service - Microsoft Defender ATP +```bash + $ systemctl status mdatp + + ● mdatp.service - Microsoft Defender ATP Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago Main PID: 1966 (wdavdaemon) @@ -52,71 +55,71 @@ $ systemctl status mdatp ├─1966 /opt/microsoft/mdatp/sbin/wdavdaemon ├─1967 /opt/microsoft/mdatp/sbin/wdavdaemon └─1968 /opt/microsoft/mdatp/sbin/wdavdaemon -``` + ``` ## Steps to troubleshoot if mdatp service isn't running -1. Check if “mdatp” user exists: -```bash -$ id “mdatp” -``` -If there’s no output, run -```bash -$ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp -``` +1. Check if "mdatp" user exists: + ```bash + $ id "mdatp" + ``` + If there’s no output, run + ```bash + $ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp + ``` 2. Try enabling and restarting the service using: -```bash -$ sudo systemctl enable mdatp -$ sudo systemctl restart mdatp -``` + ```bash + $ sudo systemctl enable mdatp + $ sudo systemctl restart mdatp + ``` 3. If mdatp.service isn't found upon running the previous command, run -```bash -$ sudo cp /opt/microsoft/mdatp/conf/mdatp.service + ```bash + $ sudo cp /opt/microsoft/mdatp/conf/mdatp.service -where is -/lib/systemd/system for Ubuntu and Debian distributions -/usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES -``` -and then rerun step 2. + where is + /lib/systemd/system for Ubuntu and Debian distributions + /usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES + ``` + and then rerun step 2. 4. If the above steps don’t work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details. Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot. 5. Ensure that the daemon has executable permission. -```bash -$ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon + ```bash + $ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon --rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon -``` -If the daemon doesn't have executable permissions, make it executable using: -```bash -$ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon -``` -and retry running step 2. + -rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon + ``` + If the daemon doesn't have executable permissions, make it executable using: + ```bash + $ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon + ``` + and retry running step 2. -6. Ensure that the file system containing wdavdaemon isn't mounted with “noexec”. +6. Ensure that the file system containing wdavdaemon isn't mounted with "noexec". ## If mdatp service is running, but EICAR text file detection doesn't work 1. Check the file system type using: -```bash -$ findmnt -T -``` -Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned. + ```bash + $ findmnt -T + ``` + Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned. ## Command-line tool “mdatp” isn't working 1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command: -```bash -$ sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp -``` -and try again. + ```bash + $ sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp + ``` + and try again. -If none of the above steps help, collect the diagnostic logs: -```bash -$ sudo mdatp diagnostic create -Diagnostic file created: -``` -Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs. + If none of the above steps help, collect the diagnostic logs: + ```bash + $ sudo mdatp diagnostic create + Diagnostic file created: + ``` + Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 6748041572..5119c3afc3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -81,4 +81,4 @@ The following steps can be used to troubleshoot and mitigate these issues: 4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. - See [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md) for details. + For more details, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md index bd2a88d40f..d2a63d964c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md @@ -27,7 +27,7 @@ ms.topic: conceptual ## 101.00.75 - Added support for the following file system types: `ecryptfs`, `fuse`, `fuseblk`, `jfs`, `nfs`, `overlay`, `ramfs`, `reiserfs`, `udf`, and `vfat` -- New syntax for the command-line tool. For more information, see [this page](linux-resources.md#configure-from-the-command-line). +- New syntax for the [command-line tool](linux-resources.md#configure-from-the-command-line). - Performance improvements & bug fixes ## 100.90.70 diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index 270e61656a..ff78248097 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -51,7 +51,7 @@ The following table summarizes the steps you would need to take to deploy and ma | [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc | | [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 | | [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)

    **Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav | -| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdavtray | +| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray | ## Download installation and onboarding packages @@ -245,7 +245,7 @@ You may now enroll more devices. You can also enroll them later, after you have BadgesEnabled BundleIdentifier - com.microsoft.wdavtray + com.microsoft.wdav.tray CriticalAlertEnabled GroupingType diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md index 6f844e39a0..4cb0f6f707 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md @@ -46,7 +46,7 @@ The following table summarizes the steps you would need to take to deploy and ma |-|-|-| | [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp | | [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#property-list-for-jamf-configuration-profile-1)

    **Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.plist | com.microsoft.wdav | -| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#notification-settings) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.wdavtray | +| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#notification-settings) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.wdav.tray | | [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#jamf) | MDATP_Microsoft_AutoUpdate.mobileconfig | com.microsoft.autoupdate2 | | [Grant Full Disk Access to Microsoft Defender ATP](#privacy-preferences-policy-control) | Note: If there was one, MDATP_tcc_Catalina_or_newer.plist | com.microsoft.wdav.tcc | | [Approve Kernel Extension for Microsoft Defender ATP](#approved-kernel-extension) | Note: If there was one, MDATP_KExt.plist | N/A | @@ -142,7 +142,7 @@ Starting in macOS 10.15 (Catalina) a user must manually allow to display notific ```xml - PayloadContentNotificationSettingsAlertType2BadgesEnabledBundleIdentifiercom.microsoft.autoupdate2CriticalAlertEnabledGroupingType0NotificationsEnabledShowInLockScreenShowInNotificationCenterSoundsEnabledAlertType2BadgesEnabledBundleIdentifiercom.microsoft.wdavtrayCriticalAlertEnabledGroupingType0NotificationsEnabledShowInLockScreenShowInNotificationCenterSoundsEnabledPayloadDescriptionPayloadDisplayNamenotificationsPayloadEnabledPayloadIdentifierBB977315-E4CB-4915-90C7-8334C75A7C64PayloadOrganizationMicrosoftPayloadTypecom.apple.notificationsettingsPayloadUUIDBB977315-E4CB-4915-90C7-8334C75A7C64PayloadVersion1PayloadDescriptionPayloadDisplayNamemdatp - allow notificationsPayloadEnabledPayloadIdentifier85F6805B-0106-4D23-9101-7F1DFD5EA6D6PayloadOrganizationMicrosoftPayloadRemovalDisallowedPayloadScopeSystemPayloadTypeConfigurationPayloadUUID85F6805B-0106-4D23-9101-7F1DFD5EA6D6PayloadVersion1 + PayloadContentNotificationSettingsAlertType2BadgesEnabledBundleIdentifiercom.microsoft.autoupdate2CriticalAlertEnabledGroupingType0NotificationsEnabledShowInLockScreenShowInNotificationCenterSoundsEnabledAlertType2BadgesEnabledBundleIdentifiercom.microsoft.wdav.trayCriticalAlertEnabledGroupingType0NotificationsEnabledShowInLockScreenShowInNotificationCenterSoundsEnabledPayloadDescriptionPayloadDisplayNamenotificationsPayloadEnabledPayloadIdentifierBB977315-E4CB-4915-90C7-8334C75A7C64PayloadOrganizationMicrosoftPayloadTypecom.apple.notificationsettingsPayloadUUIDBB977315-E4CB-4915-90C7-8334C75A7C64PayloadVersion1PayloadDescriptionPayloadDisplayNamemdatp - allow notificationsPayloadEnabledPayloadIdentifier85F6805B-0106-4D23-9101-7F1DFD5EA6D6PayloadOrganizationMicrosoftPayloadRemovalDisallowedPayloadScopeSystemPayloadTypeConfigurationPayloadUUID85F6805B-0106-4D23-9101-7F1DFD5EA6D6PayloadVersion1 ``` ### Package diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md new file mode 100644 index 0000000000..d7a913d13f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md @@ -0,0 +1,78 @@ +--- +title: How to schedule scans with MDATP for macOS +description: Learn how to schedule an automatic scanning time for Microsoft Defender ATP in macOS to better protect your organization's assets. +keywords: microsoft, defender, atp, mac, scans, antivirus +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Schedule scans with Microsoft Defender ATP for Mac + +While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. Create a scanning schedule using launchd on a macOS computer. + +## Schedule a scan with launchd + +1. Create a new .xml file. Use the following example to create your scanning schedule file. + + ```xml + + + + + Label + com.microsoft.wdav.schedquickscan + ProgramArguments + + sh + -c + /usr/local/bin/mdatp --scan --quick + + RunAtLoad + + StartCalendarInterval + Day + 3 + Hour + 2 + Minute + 0 + Weekday + 5 + + StartInterval + 604800 + WorkingDirectory + /usr/local/bin/ + + + ``` + +2. Save the file as a program configuration file (.plist) with the name com.microsoft.wdav.schedquickscan.plist. + + >[!NOTE] + >To change a quick scan to a full scan, use /usr/local/bin/mdatp --scan –full in the array string and update your .plist filename. + +3. Search for, and then open **Terminal**. +4. To load your file into **launchd**, enter the following commands: + + ```bash + `$ launchctl load /Library/LaunchDaemons/` + `$ launchctl start ` + ``` + +5. Your scheduled scan runs at the date, time, and frequency you defined in your .plist file. In the example, the scan runs at 2:00 AM every 7 days on a Friday, with the StartInterval using 604800 seconds for one week. + + > [!NOTE] + > Agents executed with launchd will not run at the scheduled time if the computer is asleep, but will run once the computer is awake. If the computer is off, the scan will not run until the computer is on at the next scheduled time. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index 2350c4c54c..e17e4280c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -1,5 +1,5 @@ --- -title: Manage indicators +title: Create indicators ms.reviewer: description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities. keywords: manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain @@ -18,7 +18,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Manage indicators +# Create indicators **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -49,188 +49,17 @@ The current supported actions are: You can create an indicator for: -- Files -- IP addresses -- URLs/domains +- [Files](indicator-file.md) +- [IP addresses, URLs/domains](indicator-ip-domain.md) +- [Certificates (preview)](indicator-certificates.md) + >[!NOTE] >There is a limit of 15,000 indicators per tenant. -![Image of indicators settings page](images/rules-indicators.png) +## Related topics - -## Create indicators for files -You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization. - -There are two ways you can create indicators for files: -- By creating an indicator through the settings page -- By creating a contextual indicator using the add indicator button from the file details page - -### Before you begin -It's important to understand the following prerequisites prior to creating indicators for files: - -- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). -- The Antimalware client version must be 4.18.1901.x or later. -- Supported on devices on Windows 10, version 1703 or later. -- To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings. -- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. - ->[!IMPORTANT] ->- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action ->- Trusted signed files will be treated differently. Microsoft Defender ATP is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications. - - ->[!NOTE] ->Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. - -### Create an indicator for files from the settings page - -1. In the navigation pane, select **Settings** > **Indicators**. - -2. Select the **File hash** tab. - -3. Select **Add indicator**. - -4. Specify the following details: - - Indicator - Specify the entity details and define the expiration of the indicator. - - Action - Specify the action to be taken and provide a description. - - Scope - Define the scope of the device group according to your [user permissions](machine-groups.md). - -5. Review the details in the Summary tab, then click **Save**. - -### Create a contextual indicator from the file details page -One of the options when taking [response actions on a file](respond-file-alerts.md) is adding an indicator for the file. - -When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it. - -Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue. - -## Create indicators for IPs and URLs/domains -Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser. - -The threat intelligence data set for this has been managed by Microsoft. - -By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by device groups if you deem certain groups to be more or less at risk than others. - -### Before you begin -It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains: -- URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md). -- The Antimalware client version must be 4.18.1906.x or later. -- Supported on devices on Windows 10, version 1709 or later. -- Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center > Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md). - - ->[!IMPORTANT] -> Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. -> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:
    -> NOTE: ->- IP is supported for all three protocols ->- Encrypted URLs (full path) can only be blocked on first party browsers ->- Encrypted URLS (FQDN only) can be blocked outside of first party browsers ->- Full URL path blocks can be applied on the domain level and all unencrypted URLs - ->[!NOTE] ->There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. - -### Create an indicator for IPs, URLs, or domains from the settings page - -1. In the navigation pane, select **Settings** > **Indicators**. - -2. Select the **IP addresses or URLs/Domains** tab. - -3. Select **Add indicator**. - -4. Specify the following details: - - Indicator - Specify the entity details and define the expiration of the indicator. - - Action - Specify the action to be taken and provide a description. - - Scope - Define the scope of the device group. - -5. Review the details in the Summary tab, then click **Save**. - -## Create indicators for certificates - -You can create indicators for certificates. Some common use cases include: - -- Scenarios when you need to deploy blocking technologies, such as [attack surface reduction rules](attack-surface-reduction.md) and [controlled folder access](controlled-folders.md) but need to allow behaviors from signed applications by adding the certificate in the allow list. -- Blocking the use of a specific signed application across your organization. By creating an indicator to block the certificate of the application, Microsoft Defender AV will prevent file executions (block and remediate) and the Automated Investigation and Remediation behave the same. - - -### Before you begin - -It's important to understand the following requirements prior to creating indicators for certificates: - -- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). -- The Antimalware client version must be 4.18.1901.x or later. -- Supported on devices on Windows 10, version 1703 or later. -- The virus and threat protection definitions must be up-to-date. -- This feature currently supports entering .CER or .PEM file extensions. - ->[!IMPORTANT] -> - A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it’s trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities'). ->- The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality – only leaf certificates are supported. ->- Microsoft signed certificates cannot be blocked. - -#### Create an indicator for certificates from the settings page: - ->[!IMPORTANT] -> It can take up to 3 hours to create and remove a certificate IoC. - -1. In the navigation pane, select **Settings** > **Indicators**. - -2. Select the **Certificate** tab. - -3. Select **Add indicator**. - -4. Specify the following details: - - Indicator - Specify the entity details and define the expiration of the indicator. - - Action - Specify the action to be taken and provide a description. - - Scope - Define the scope of the device group. - -5. Review the details in the Summary tab, then click **Save**. - - -## Manage indicators - -1. In the navigation pane, select **Settings** > **Indicators**. - -2. Select the tab of the entity type you'd like to manage. - -3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list. - -## Import a list of IoCs - -You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details. - -Download the sample CSV to know the supported column attributes. - -1. In the navigation pane, select **Settings** > **Indicators**. - -2. Select the tab of the entity type you'd like to import indicators for. - -3. Select **Import** > **Choose file**. - -4. Select **Import**. Do this for all the files you'd like to import. - -5. Select **Done**. - -The following table shows the supported parameters. - -Parameter | Type | Description -:---|:---|:--- -indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required** -indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required** -action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required** -title | String | Indicator alert title. **Required** -description | String | Description of the indicator. **Required** -expirationTime | DateTimeOffset | The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. **Optional** -severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional** -recommendedActions | String | TI indicator alert recommended actions. **Optional** -rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional** - - - -## Related topic - [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) - [Use the Microsoft Defender ATP indicators API](ti-indicator.md) - [Use partner integrated solutions](partner-applications.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index 9f2bcb6ccd..b20e6bfe22 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -102,11 +102,9 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft -**[Configuration score](configuration-score.md)**
    -> [!NOTE] -> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). +**[Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)**
    -Microsoft Defender ATP includes a configuration score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. +Microsoft Defender ATP includes Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index 385bdbecbb..425c0389da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -1,6 +1,6 @@ --- title: Microsoft Defender ATP for Linux -ms.reviewer: +ms.reviewer: description: Describes how to install and use Microsoft Defender ATP for Linux. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh @@ -14,7 +14,7 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- @@ -39,7 +39,7 @@ There are several methods and deployment tools that you can use to install and c In general you need to take the following steps: -- Ensure that you have a Microsoft Defender ATP subscription, and that you have access to the Microsoft Defender ATP portal. +- Ensure that you have a Microsoft Defender ATP subscription, and that you have access to the [Microsoft Defender ATP portal](microsoft-defender-security-center.md). - Deploy Microsoft Defender ATP for Linux using one of the following deployment methods: - The command-line tool: - [Manual deployment](linux-install-manually.md) @@ -51,7 +51,7 @@ If you experience any installation failures, refer to [Troubleshooting installat ### System requirements -- Supported Linux server distributions and versions: +- Supported Linux server distributions and versions: - Red Hat Enterprise Linux 7.2 or higher - CentOS 7.2 or higher diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index b51e526c2d..81a12f3806 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -91,19 +91,32 @@ Ensure that your devices: - Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version. - Have at least one security recommendation that can be viewed in the device page -- Are tagged or marked as co-managed +- Are tagged or marked as co-managed + +## APIs + +Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615). +See the following topics for related APIs: + +- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) +- [Machine APIs](machine.md) +- [Recommendation APIs](vulnerability.md) +- [Score APIs](score.md) +- [Software APIs](software.md) +- [Vulnerability APIs](vulnerability.md) ## Related topics - [Supported operating systems and platforms](tvm-supported-os.md) - [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) -- [Configuration score](configuration-score.md) +- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) +- [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) - [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md index aae2efc200..2b28898f2c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md @@ -57,7 +57,7 @@ Area | Description **Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool. **Reports** | View graphs detailing threat protection, device health and compliance, web protection, and vulnerability. **Partners & APIs** | View supported partner connections, which enhance the detection, investigation, and threat intelligence capabilities of the platform. You can also view connected applications, the API explorer, API usage overview, and data export settings. -**Threat & Vulnerability management** | View your configuration score, exposure score, exposed devices, vulnerable software, and take action on top security recommendations. +**Threat & Vulnerability management** | View your Microsoft Secure Score for Devices, exposure score, exposed devices, vulnerable software, and take action on top security recommendations. **Evaluation and tutorials** | Manage test devices, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walk-through in a trial environment. **Service health** | Provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. **Configuration management** | Displays on-boarded devices, your organizations' security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md index 479263bdf5..11d05369ee 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md @@ -35,7 +35,7 @@ Method |Return Type |Description ## Properties -Property | Type | Description +Property | Type | Description :---|:---|:--- id | String | Recommendation ID productName | String | Related software name @@ -43,15 +43,15 @@ recommendationName | String | Recommendation name Weaknesses | Long | Number of discovered vulnerabilities Vendor | String | Related vendor name recommendedVersion | String | Recommended version -recommendationCategory | String | Recommendation category. Possible values are: “Accounts”, “Application”, “Network”, “OS”, “SecurityStack +recommendationCategory | String | Recommendation category. Possible values are: "Accounts", "Application", "Network", "OS", "SecurityStack subCategory | String | Recommendation sub-category -severityScore | Double | Potential impact of the configuration to the organization’s configuration score (1-10) +severityScore | Double | Potential impact of the configuration to the organization's Microsoft Secure Score for Devices (1-10) publicExploit | Boolean | Public exploit is available activeAlert | Boolean | Active alert is associated with this recommendation associatedThreats | String collection | Threat analytics report is associated with this recommendation -remediationType | String | Remediation type. Possible values are: “ConfigurationChange”,“Update”,“Upgrade”,”Uninstall” -Status | Enum | Recommendation exception status. Possible values are: “Active” and “Exception” -configScoreImpact | Double | Configuration score impact +remediationType | String | Remediation type. Possible values are: "ConfigurationChange","Update","Upgrade","Uninstall" +Status | Enum | Recommendation exception status. Possible values are: "Active" and "Exception" +configScoreImpact | Double | Microsoft Secure Score for Devices impact exposureImpacte | Double | Exposure score impact totalMachineCount | Long | Number of installed devices exposedMachinesCount | Long | Number of installed devices that are exposed to vulnerabilities diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md new file mode 100644 index 0000000000..0261393243 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md @@ -0,0 +1,53 @@ +--- +title: Migrate from Symantec to Microsoft Defender ATP +description: Make the switch from Symantec to Microsoft Defender ATP +keywords: migration, windows defender advanced threat protection, atp, edr +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Migrate from Symantec to Microsoft Defender Advanced Threat Protection + +If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP), you're in the right place. Use this article as a guide to plan your migration. + +## The migration process + +When you switch from Symantec to Microsoft Defender ATP, you follow a process that can be divided into three phases, as described in the following table: + +|Phase |Description | +|--|--| +|[![Phase 1: Prepare](images/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)
    [Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md) |During the **Prepare** phase, you get Microsoft Defender ATP, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender ATP. | +|[![Phase 2: Set up](images/setup.png)](symantec-to-microsoft-defender-atp-setup.md)
    [Set up Microsoft Defender ATP](symantec-to-microsoft-defender-atp-setup.md) |During the **Setup** phase, you configure settings and exclusions for Microsoft Defender Antivirus, Microsoft Defender ATP, and Symantec Endpoint Protection. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.| +|[![Phase 3: Onboard](images/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)
    [Onboard to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-onboard.md) |During the **Onboard** phase, you onboard your devices to Microsoft Defender ATP and verify that those devices are communicating with Microsoft Defender ATP. Last, you uninstall Symantec and make sure protection through Microsoft Defender ATP is in active mode. | + +## What's included in Microsoft Defender ATP? + +In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender ATP. However, Microsoft Defender ATP includes much more than antivirus and endpoint protection. Microsoft Defender ATP is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender ATP. + +| Feature/Capability | Description | +|---|---| +| [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & Vulnerability Management capabilities helps identify, assess, and remediate weaknesses across your endpoints (such as devices). | +| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. | +| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. | +| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. | +| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. | +| [Behavioral blocking and containment](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. | +| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. | +| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. | + +**Want to learn more? See [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection).** + +## Next step + +- Proceed to [Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md new file mode 100644 index 0000000000..f6102fbeb5 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md @@ -0,0 +1,103 @@ +--- +title: Phase 3 - Onboard to Microsoft Defender ATP +description: Make the switch from Symantec to Microsoft Defender ATP +keywords: migration, windows defender advanced threat protection, atp, edr +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Migrate from Symantec - Phase 3: Onboard to Microsoft Defender ATP + +|[![Phase 1: Prepare](images/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)
    [Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |[![Phase 2: Set up](images/setup.png)](symantec-to-microsoft-defender-atp-setup.md)
    [Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |![Phase 3: Onboard](images/onboard.png)
    Phase 3: Onboard | +|--|--|--| +|| |*You are here!* | + + +**Welcome to Phase 3 of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This migration phase includes the following steps: + +1. [Onboard devices to Microsoft Defender ATP](#onboard-devices-to-microsoft-defender-atp). +2. [Run a detection test](#run-a-detection-test). +3. [Uninstall Symantec](#uninstall-symantec). +4. [Make sure Microsoft Defender ATP is in active mode](#make-sure-microsoft-defender-atp-is-in-active-mode). + +## Onboard devices to Microsoft Defender ATP + +1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in. + +2. Choose **Settings** > **Device management** > **Onboarding**. + +3. In the **Select operating system to start onboarding process** list, select an operating system. + +4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods). + +### Onboarding methods + +Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding. + +|Operating system |Method | +|---------|---------| +|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
    - [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
    - [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
    - [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)

    **NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | +|- Windows 8.1 Enterprise
    - Windows 8.1 Pro
    - Windows 7 SP1 Enterprise
    - Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)

    **NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). | +|- Windows Server 2019 and later
    - Windows Server 2019 core edition
    - Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
    - [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
    - [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
    - [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-machines-using-earlier-versions-of-system-center-configuration-manager)
    - [VDI onboarding scripts for non-persistent machines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)

    **NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | +|- Windows Server 2016
    - Windows Server 2012 R2
    - Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
    - [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) | +|macOS
    - 10.15 (Catalina)
    - 10.14 (Mojave)
    - 10.13 (High Sierra)

    iOS

    Linux:
    - RHEL 7.2+
    - CentOS Linux 7.2+
    - Ubuntu 16 LTS, or higher LTS
    - SLES 12+
    - Debian 9+
    - Oracle Linux 7.2 |[Onboard non-Windows machines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) | + +## Run a detection test + +To verify that your onboarded devices are properly connected to Microsoft Defender ATP, you can run a detection test. + + +|Operating system |Guidance | +|---------|---------| +|- Windows 10
    - Windows Server 2019
    - Windows Server, version 1803
    - Windows Server 2016
    - Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).

    Visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. | +|macOS
    - 10.15 (Catalina)
    - 10.14 (Mojave)
    - 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).

    For more information, see [Microsoft Defender Advanced Threat Protection for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). | +|Linux:
    - RHEL 7.2+
    - CentOS Linux 7.2+
    - Ubuntu 16 LTS, or higher LTS
    - SLES 12+
    - Debian 9+
    - Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
    `mdatp health --field real_time_protection_enabled`.

    2. Open a Terminal window, and run the following command:
    `curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.

    3. Run the following command to list any detected threats:
    `mdatp threat list`.

    For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). | + +## Uninstall Symantec + +Now that you have onboarded your organization's devices to Microsoft Defender ATP, your next step is to uninstall Symantec. + +1. [Disable Tamper Protection](https://knowledge.broadcom.com/external/article?legacyId=tech192023) in Symantec. + +2. Delete the uninstall password for Symantec: + 1. On your Windows devices, open Registry Editor as an administrator. + 2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC`. + 3. Look for an entry named **SmcInstData**. Right-click the item, and then choose **Delete**. + +3. Remove Symantec from your devices. You can use SEP Manager to perform this task. See [Configuring client packages to uninstall existing security software](https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Managing-a-custom-installation/preparing-for-client-installation-v16742985-d21e7/configuring-client-packages-to-uninstall-existing-v73569396-d21e2634.html). + + +> [!TIP] +> Need help? See the following Broadcom resources: +> - [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html). +> - Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040). +> - macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387). +> - Linux devices: [Frequently Asked Questions for Endpoint Protection for Linux](https://knowledge.broadcom.com/external/article?articleId=162054). + +## Make sure Microsoft Defender ATP is in active mode + +Now that you have uninstalled Symantec, your next step is to make sure that Microsoft Defender Antivirus and endpoint detection and response are enabled and in active mode. + +To do this, visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following: +- Cloud-delivered protection +- Potentially Unwanted Applications (PUA) +- Network Protection (NP) + +## Next steps + +**Congratulations**! You have completed your [migration from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)! + +- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). + +- To learn more about Microsoft Defender ATP and how to configure or adjust various features and capabilities, see [Microsoft Defender ATP documentation](https://docs.microsoft.com/windows/security/threat-protection). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md new file mode 100644 index 0000000000..5f7918273a --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md @@ -0,0 +1,85 @@ +--- +title: Phase 1 - Prepare for your migration to Microsoft Defender ATP +description: Phase 1 of "Make the switch from Symantec to Microsoft Defender ATP". Prepare for your migration. +keywords: migration, windows defender advanced threat protection, atp, edr +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Migrate from Symantec - Phase 1: Prepare for your migration + +|![Phase 1: Prepare](images/prepare.png)
    Phase 1: Prepare |[![Phase 2: Set up](images/setup.png)](symantec-to-microsoft-defender-atp-setup.md)
    [Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |[![Phase 3: Onboard](images/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)
    [Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) | +|--|--|--| +|*You are here!*| | | + + +**Welcome to the Prepare phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. + +This migration phase includes the following steps: +1. [Get Microsoft Defender ATP](#get-microsoft-defender-atp). +2. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center). +3. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings). + +## Get Microsoft Defender ATP + +To get started, you must have Microsoft Defender ATP, with licenses assigned and provisioned. + +1. Buy or try Microsoft Defender ATP today. [Visit Microsoft Defender ATP to start a free trial or request a quote](https://aka.ms/mdatp). + +2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state). + +3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender ATP. See [Microsoft Defender ATP setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration). + +4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender ATP setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration). + +At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). + +> [!NOTE] +> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender ATP portal. + +## Grant access to the Microsoft Defender Security Center + +The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender ATP. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use). + +Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions. + +1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control). + +2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control). + + If your organization requires a method other than Intune, choose one of the following options: + - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration) + - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm) + - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview) + +3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)). + +## Configure device proxy and internet connectivity settings + +To enable communication between your devices and Microsoft Defender ATP, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities: + +|Capabilities | Operating System | Resources | +|--|--|--| +|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
    - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
    - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) | +|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
    - [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
    - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
    - [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
    - [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | +|EDR |macOS:
    - 10.15 (Catalina)
    - 10.14 (Mojave)
    - 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
    - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
    - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
    - [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
    | +|Antivirus |macOS:
    - 10.15 (Catalina)
    - 10.14 (Mojave)
    - 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|Antivirus |Linux:
    - RHEL 7.2+
    - CentOS Linux 7.2+
    - Ubuntu 16 LTS, or higher LTS
    - SLES 12+
    - Debian 9+
    - Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) + +## Next step + +**Congratulations**! You have completed the **Prepare** phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)! + +- [Proceed to set up Microsoft Defender ATP](symantec-to-microsoft-defender-atp-setup.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md new file mode 100644 index 0000000000..eef8e48d51 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md @@ -0,0 +1,207 @@ +--- +title: Phase 2 - Set up Microsoft Defender ATP +description: Phase 2 - Set up Microsoft Defender ATP +keywords: migration, windows defender advanced threat protection, atp, edr +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Migrate from Symantec - Phase 2: Set up Microsoft Defender ATP + +|[![Phase 1: Prepare](images/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)
    [Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |![Phase 2: Set up](images/setup.png)
    Phase 2: Set up |[![Phase 3: Onboard](images/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)
    [Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) | +|--|--|--| +||*You are here!* | | + + +**Welcome to the Setup phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This phase includes the following steps: +1. [Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)](#enable-or-reinstall-microsoft-defender-antivirus-for-certain-versions-of-windows). +2. [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus). +3. [Add Microsoft Defender ATP to the exclusion list for Symantec](#add-microsoft-defender-atp-to-the-exclusion-list-for-symantec). +4. [Add Symantec to the exclusion list for Microsoft Defender Antivirus](#add-symantec-to-the-exclusion-list-for-microsoft-defender-antivirus). +5. [Add Symantec to the exclusion list for Microsoft Defender ATP](#add-symantec-to-the-exclusion-list-for-microsoft-defender-atp). +6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units). +7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection). + +## Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows) + +> [!TIP] +> If you're running Windows 10, you do not need to perform this task. Proceed to **[Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus)**. + +On certain versions of Windows, Microsoft Defender Antivirus might have been uninstalled or disabled. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as Symantec. To learn more, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). + +Now that you're moving from Symantec to Microsoft Defender ATP, you'll need to enable or reinstall Microsoft Defender Antivirus, and set it to passive mode. + +### Reinstall Microsoft Defender Antivirus on Windows Server + +> [!NOTE] +> The following procedure applies only to endpoints or devices that are running the following versions of Windows: +> - Windows Server 2019 +> - Windows Server, version 1803 (core-only mode) +> - Windows Server 2016 +> +> Microsoft Defender Antivirus is built into Windows 10, but it might be disabled. In this case, proceed to [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus). + +1. As a local administrator on the endpoint or device, open Windows PowerShell. + +2. Run the following PowerShell cmdlets:
    + `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
    + `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
    + +3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
    + `Get-Service -Name windefend` + +> [!TIP] +> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016). + +### Set Microsoft Defender Antivirus to passive mode on Windows Server + +Because your organization is still using Symantec, you must set Microsoft Defender Antivirus to passive mode. That way, Symantec and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender ATP. + +1. Open Registry Editor, and then navigate to
    + `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`. + +2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings: + - Set the DWORD's value to **1**. + - Under **Base**, select **Hexadecimal**. + +> [!NOTE] +> You can use other methods to set the registry key, such as the following: +>- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11)) +>- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool) +>- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs) + +## Enable Microsoft Defender Antivirus + +Because your organization has been using Symantec as your primary antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus. + +To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table: + +|Method |What to do | +|---------|---------| +|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)

    **NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.

    2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).

    3. Select **Properties**, and then select **Configuration settings: Edit**.

    4. Expand **Microsoft Defender Antivirus**.

    5. Enable **Cloud-delivered protection**.

    6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.

    7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.

    8. Select **Review + save**, and then choose **Save**.

    For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).| +|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).

    **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | +|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
    or
    [Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.

    2. Look for a policy called **Turn off Microsoft Defender Antivirus**.

    3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.

    **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | + +### Verify that Microsoft Defender Antivirus is in passive mode + +Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table: + +|Method |What to do | +|---------|---------| +|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.

    2. Type `sc query windefend`, and then press Enter.

    3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | +|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.

    2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus?view=win10-ps) cmdlet.

    3. In the list of results, look for **AntivirusEnabled: True**. | + +> [!NOTE] +> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. + +## Add Microsoft Defender ATP to the exclusion list for Symantec + +This step of the setup process involves adding Microsoft Defender ATP to the exclusion list for Symantec and any other security products your organization is using. The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table: + +|OS |Exclusions | +|--|--| +|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
    - Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
    - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
    - [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`

    `C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`

    `C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`

    `C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
    | +|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
    - [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
    - [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
    - [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
    - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`

    **NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.

    `C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`

    `C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`

    `C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`

    `C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`

    `C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`

    `C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` | + +## Add Symantec to the exclusion list for Microsoft Defender Antivirus + +During this step of the setup process, you add Symantec and your other security solutions to the Microsoft Defender Antivirus exclusion list. + +When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind: +- Path exclusions exclude specific files and whatever those files access. +- Process exclusions exclude whatever a process touches, but does not exclude the process itself. +- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded. +- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.) + +You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table: + +|Method | What to do| +|--|--| +|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)

    **NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.

    2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.

    3. Under **Manage**, select **Properties**.

    4. Select **Configuration settings: Edit**.

    5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.

    6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).

    7. Choose **Review + save**, and then choose **Save**. | +|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.

    2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. | +|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.

    2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.

    3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
    **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.

    4. Double-click the **Path Exclusions** setting and add the exclusions.
    - Set the option to **Enabled**.
    - Under the **Options** section, click **Show...**.
    - Specify each folder on its own line under the **Value name** column.
    - If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.

    5. Click **OK**.

    6. Double-click the **Extension Exclusions** setting and add the exclusions.
    - Set the option to **Enabled**.
    - Under the **Options** section, click **Show...**.
    - Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.

    7. Click **OK**. | +|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.

    2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
    **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.

    3. Specify your path and process exclusions. | +|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.

    2. Import the registry key. Here are two examples:
    - Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
    - Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` | + +## Add Symantec to the exclusion list for Microsoft Defender ATP + +To add exclusions to Microsoft Defender ATP, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files). + +1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in. + +2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**. + +3. On the **File hashes** tab, choose **Add indicator**. + +3. On the **Indicator** tab, specify the following settings: + - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.) + - Under **Expires on (UTC)**, choose **Never**. + +4. On the **Action** tab, specify the following settings: + - **Response Action**: **Allow** + - Title and description + +5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**. + +6. On the **Summary** tab, review the settings, and then click **Save**. + +### Find a file hash using CMPivot + +CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview). + +To use CMPivot to get your file hash, follow these steps: + +1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites). + +2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot). + +3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`). + +4. Select the **Query** tab. + +5. In the **Device Collection** list, and choose **All Systems (default)**. + +6. In the query box, type the following query:
    + +```kusto +File(c:\\windows\\notepad.exe) +| project Hash +``` +> [!NOTE] +> In the query above, replace *notepad.exe* with the your third-party security product process name. + +## Set up your device groups, device collections, and organizational units + +| Collection type | What to do | +|--|--| +|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.

    Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.

    Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).

    2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.

    3. Choose **+ Add device group**.

    4. Specify a name and description for the device group.

    5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).

    6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).

    7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.

    8. Choose **Done**. | +|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.

    Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). | +|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.

    Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). | + +## Configure antimalware policies and real-time protection + +Using Configuration Manager and your device collection(s), configure your antimalware policies. + +- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies). + +- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus). + +> [!TIP] +> You can deploy the policies before your organization's devices on onboarded. + +## Next step + +**Congratulations**! You have completed the Setup phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)! + +- [Proceed to Phase 3: Onboard to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-onboard.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md index d9da84884b..421805849d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md @@ -41,28 +41,30 @@ The threat analytics dashboard is a great jump off point for getting to the repo ![Image of a threat analytics dashboard](images/ta_dashboard.png) -Select a threat on any of the overviews or on the table to view the report for that threat. +Select a threat from any of the overviews or from the table to view the report for that threat. ## View a threat analytics report -Each threat report generally provides an overview of the threat and an analysis of the techniques and tools used by the threat. It also provides worldwide impact information, mitigation recommendations, and detection information. It includes several cards that show dynamic data about how your organization is impacted by the threat and how prepared it is to stop the threat. +Each threat report generally provides an overview of the threat and an analysis of the techniques and tools used by the threat. It also provides mitigation recommendations and detection information. It includes several cards that show dynamic data about how your organization is impacted by the threat and how prepared it is to stop the threat. ![Image of a threat analytics report](images/ta.png) ### Organizational impact Each report includes cards designed to provide information about the organizational impact of a threat: -- **Devices with alerts** — shows the current number of distinct devices in your organization that have been impacted by the threat. A device is categorized as **Active** if there is at least 1 alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved. +- **Devices with alerts** — shows the current number of distinct devices that have been impacted by the threat. A device is categorized as **Active** if there is at least one alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved. - **Devices with alerts over time** — shows the number of distinct devices with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days. ### Organizational resilience Each report also includes cards that provide an overview of how resilient your organization can be against a given threat: -- **Mitigation status** — shows the number of devices that have and have not applied mitigations for the threat. Devices are considered mitigated if they have all the measurable mitigations in place. +- **Security configuration status** — shows the number of devices that have applied the recommended security settings that can help mitigate the threat. Devices are considered **Secure** if they have applied _all_ the tracked settings. - **Vulnerability patching status** — shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat. -- **Mitigation recommendations** — lists specific actionable recommendations to improve your visibility into the threat and increase your organizational resilience. This card lists only measurable mitigations along with the number of devices that don't have these mitigations in place. +- **Mitigation details** — lists specific actionable recommendations that can help you increase your organizational resilience. This card lists tracked mitigations, including recommended settings and vulnerability patches, along with the number of devices that don't have the mitigations in place. ->[!IMPORTANT] ->- Charts only reflect mitigations that are measurable, meaning an evaluation can be made on whether a device has applied the mitigations or not. Check the report overview for additional mitigations that are not reflected in the charts. ->- Even if all mitigations were measurable, they don't guarantee complete resilience. They reflect the best possible actions needed to improve resiliency. +### Additional report details and limitations +When using the reports, keep the following in mind: ->[!NOTE] ->Devices are counted as "unavailable" if they have been unable to transmit data to the service. +- Data is scoped based on your RBAC permissions. You will only see the status of devices that you have been granted access to on the RBAC. +- Charts reflect only mitigations that are tracked. Check the report overview for additional mitigations that are not reflected in the charts. +- Mitigations don't guarantee complete resilience. The provided mitigations reflect the best possible actions needed to improve resiliency. +- Devices are counted as "unavailable" if they have been unable to transmit data to the service. +- Antivirus related statistics are based on Microsoft Defender Antivirus settings. Devices with third-party antivirus solutions can appear as "exposed". diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md new file mode 100644 index 0000000000..3c49e66665 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md @@ -0,0 +1,135 @@ +--- +title: Event timeline +description: Event timeline is a "risk news feed" which will help you interpret how risk is introduced into the organization and which mitigations happened to reduce it. +keywords: event timeline, mdatp event timeline, mdatp tvm event timeline, threat and vulnerability management, Microsoft Defender Advanced Threat Protection +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- +# Event timeline + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Event timeline is a risk news feed which helps you interpret how risk, through new vulnerabilities or exploits, is introduced into the organization. You can view events which may impact your organization's risk. For example, you can find new vulnerabilities that were introduced, vulnerabilities that became exploitable, exploit that was addd to an exploit kit, and more. + +Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) so you can determine the cause of large changes. Reduce you exposure score by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md). + +## Navigate to the Event timeline page + +You can access Event timeline mainly through three ways: + +- In the Threat & Vulnerability Management navigation menu in the Microsoft Defender Security Center +- Top events card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). The highest impact events (for example, affect the most machines or critical vulnerabilities) +- Hovering over the Exposure Score graph in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) + +### Navigation menu + +Go to the Threat & Vulnerability Management navigation menu and select **Event timeline** to view impactful events. + +### Top events card + +In the Threat & Vulnerability Management dashboard, the "Top events" card displays the three most impactful events in the last 7 days. Select **Show more** to go to the Event timeline page. + +![Event timeline page](images/tvm-top-events-card.png) + +### Exposure score graph + +In the Threat & Vulnerability Management dashboard, hover over the Exposure score graph to view top events from that day that impacted your machines. If there are no events, then none will be shown. + +![Event timeline page](images/tvm-event-timeline-exposure-score400.png) + +Selecting **Show all events from this day** will lead you to the Event timeline page with a pre-populated custom date range for that day. + +![Event timeline page](images/tvm-event-timeline-drilldown.png) + +Select **Custom range** to change the date range to another custom one, or a pre-set time range. + +![Event timeline date range options](images/tvm-event-timeline-dates.png) + +## Event timeline overview + +On the Event timeline page, you can view the all the necesssary info related to an event. + +Features: + +- Customize columns +- Filter by event type or percent of impacted machines +- View 30, 50, or 100 items per page + +The two large numbers at the top of the page show the number of new vulnerabilities and exploitable vulnerabilities, not events. Some events can have multiple vulnerabilities, and some vulnerabilities can have multiple events. + +![Event timeline page](images/tvm-event-timeline-overview-mixed-type.png) + +### Columns + +- **Date**: month, day, year +- **Event**: impactful event, including component, type, and number of impacted machines +- **Related component**: software +- **Originally impacted machines**: the number, and percentage, of impacted machines when this event originally occurred. You can also filter by the percent of originally impacted machines, out of your total number of machines. +- **Currently impacted machines**: the current number, and percentage, of machines that this event currently impacts. You can find this field by selecting **Customize columns**. +- **Types**: reflect time-stamped events that impact the score. They can be filtered. + - Exploit added to an exploit kit + - Exploit was verified + - New public exploit + - New vulnerability +- **Score trend**: exposure score trend + +### Icons + +The following icons show up next to events: + +- ![bug icon](images/tvm-black-bug-icon.png) New public exploit +- ![report warning icon](images/report-warning-icon.png) New vulnerability was published +- ![exploit kit](images/bug-lightning-icon2.png) Exploit found in exploit kit +- ![bug icon](images/bug-caution-icon2.png) Exploit verified + +### Drill down to a specific event + +Once you select an event, a flyout will appear listing the details and current CVEs that affect your machines. You can show more CVEs or view the related recommendation. + +The arrow below "score trend" helps you determine whether this event potentially raised or lowered your organizational exposure score. Higher exposure score means machines are more vulnerable to exploitation. + +![Event timeline flyout](images/tvm-event-timeline-flyout500.png) + +From there, select **Go to related security recommendation** to go to the [security recommendations page](tvm-security-recommendation.md) and the recommendation that will address the new software vulnerability. After reading the description and vulnerability details in the security recommendation, you can [submit a remediation request](tvm-security-recommendation.md#request-remediation), and track the request in the [remediation page](tvm-remediation.md). + +## View Event timelines in software pages + +To open a software page, select an event > select the hyperlinked software name (like Visual Studio 2017) in the section called "Related component" in the flyout. [Learn more about software pages](tvm-software-inventory.md#software-pages) + +A full page will appear with all the details of a specific software, including an event timeline tab. From there you can view all the events related to that software, along with security recommendations, discovered vulnerabilities, installed machines, and version distribution. + +![Software page with an Event timeline tab](images/tvm-event-timeline-software-pages.png) + +## Related topics + +- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) +- [Supported operating systems and platforms](tvm-supported-os.md) +- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) +- [Exposure score](tvm-exposure-score.md) +- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) +- [Security recommendations](tvm-security-recommendation.md) +- [Remediation and exception](tvm-remediation.md) +- [Software inventory](tvm-software-inventory.md) +- [Weaknesses](tvm-weaknesses.md) +- [Event timeline](threat-and-vuln-mgt-event-timeline.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) +- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Advanced hunting overview](overview-hunting.md) +- [All advanced hunting tables](advanced-hunting-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 42546873f4..3a565b7fd9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -1,7 +1,7 @@ --- title: Threat & Vulnerability Management scenarios description: Learn how Threat & Vulnerability Management can be used to help security admins, IT admins, and SecOps collaborate in defending against security threats. -keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls +keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase Microsoft Secure Score for Devices, increase threat & vulnerability Microsoft Secure Score for Devices, Microsoft Secure Score for Devices, exposure score, security controls search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -27,18 +27,6 @@ ms.topic: article [!include[Prerelease information](../../includes/prerelease.md)] -## APIs - -Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615). -See the following topics for related APIs: - -- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) -- [Machine APIs](machine.md) -- [Recommendation APIs](vulnerability.md) -- [Score APIs](score.md) -- [Software APIs](software.md) -- [Vulnerability APIs](vulnerability.md) - ## Use advanced hunting query to search for devices with High active alerts or critical CVE public exploit 1. Go to **Advanced hunting** from the left-hand navigation pane of the Microsoft Defender Security Center. @@ -62,76 +50,19 @@ DeviceName=any(DeviceName) by DeviceId, AlertId ``` -## Find and remediate software or software versions which have reached end-of-support (EOS) - -End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks. - -It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end of support, and update versions that have reached end of support. It is best to create and implement a plan **before** the end of support dates. - -To find software or software versions which have reached end-of-support: - -1. From the Threat & Vulnerability Management menu, navigate to **Security recommendations**. -2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**. - - ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tag.png) - -3. You will see a list recommendations related to software that is end of support, software versions that are end of support, or upcoming end of support versions. These tags are also visible in the [software inventory](tvm-software-inventory.md) page. - - ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tags-column.png) - -### List of versions and dates - -To view a list of version that have reached end of support, or end or support soon, and those dates, follow the below steps: - -1. For software that has versions which have reached end of support, or will reach end of support soon, a message will appear in the flyout once the security recommendation is selected. - - ![Screenshot of version distribution link](images/eos-upcoming-eos.png) - -2. Select the **version distribution** link to go to the software drill down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support. - - ![Screenshot of version distribution link](images/software-drilldown-eos.png) - -3. Select one of the versions in the table to open. For example, version 10.0.18362.1. A flyout will appear with the end of support date. - - ![Screenshot of version distribution link](images/version-eos-date.png) - -After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details. - -## Define a device's value to the organization - -Defining a device’s value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation, so devices marked as “high value” will receive more weight. - -Device value options: - -- Low -- Normal (Default) -- High - -Examples of machines that should be mark as high value: - -- Domain controllers, Active Directory -- Internet facing machines -- VIP machines -- Machines hosting internal/external production services - -### Set device value - -1. Navigate into any machine page -2. Select Machine Value and define a value -3. Review the value in the machine tag area - ## Related topics - [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) - [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) -- [Configuration score](configuration-score.md) +- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [Event timeline](threat-and-vuln-mgt-event-timeline.md) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) - [Advanced hunting overview](overview-hunting.md) - [All advanced hunting tables](advanced-hunting-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index 393617182a..445718afae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -282,6 +282,10 @@ If the verification fails and your environment is using a proxy to connect to th ![Image of registry key for Microsoft Defender Antivirus](images/atp-disableantispyware-regkey.png) + > [!NOTE] + > In addition, you must ensure that wdfilter.sys and wdboot.sys are set to their default start values of "0". + > - `` + > - `` ## Troubleshoot onboarding issues on a server @@ -319,7 +323,7 @@ The steps below provide guidance for the following scenario: - In this scenario, the SENSE service will not start automatically even though onboarding package was deployed > [!NOTE] -> The following steps are only relevant when using Microsoft Endpoint Configuration Manager +> The following steps are only relevant when using Microsoft Endpoint Configuration Manager. For more details about onboarding using Microsoft Endpoint Configuration Manager, see [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection). 1. Create an application in Microsoft Endpoint Configuration Manager. @@ -445,4 +449,3 @@ The steps below provide guidance for the following scenario: - [Troubleshoot Microsoft Defender ATP](troubleshoot-mdatp.md) - [Onboard devices](onboard-configure.md) - [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md) - diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index 907fbf1634..eaa32244f3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -1,7 +1,7 @@ --- title: Threat & Vulnerability Management dashboard insights description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience. -keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score +keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score search.appverid: met150 search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -32,13 +32,13 @@ Threat & Vulnerability Management is a component of Microsoft Defender ATP, and You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to: -- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices +- View exposure and Microsoft Secure Score for Devices side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices - Correlate EDR insights with endpoint vulnerabilities and process them - Select remediation options, triage and track the remediation tasks - Select exception options and track active exceptions > [!NOTE] -> Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat & Vulnerability Management exposure score and configuration score. +> Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat & Vulnerability Management exposure score and Microsoft Secure Score for Devices. Watch this video for a quick overview of what is in the Threat & Vulnerability Management dashboard. @@ -46,15 +46,7 @@ Watch this video for a quick overview of what is in the Threat & Vulnerability M ## Threat & Vulnerability Management in Microsoft Defender Security Center -When you open the portal, you'll see the main areas of the capability: - -- (1) Menu to open the navigation pane -- (2) Threat & Vulnerability Management navigation pane -- (3) Threat & Vulnerability Management dashboard - - ![Microsoft Defender Advanced Threat Protection portal](images/tvm_dashboard.png) - - ![Threat & Vulnerability Management menu](images/tvm-menu.png) + ![Microsoft Defender Advanced Threat Protection portal](images/tvm-dashboard-devices.png) You can navigate through the portal using the menu options available in all sections. Refer to the following tables for a description of each section. @@ -62,7 +54,7 @@ You can navigate through the portal using the menu options available in all sect Area | Description :---|:--- -**Dashboard** | Get a high-level view of the organization exposure score, organization configuration score, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed devices data. +**Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data. [**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. [**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. [**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs or security updates. @@ -74,7 +66,7 @@ Area | Description :---|:--- **Selected device groups (#/#)** | Filter the Threat & Vulnerability Management data you want to see in the dashboard and cards by device groups. What you select in the filter applies throughout the Threat & Vulnerability management pages. [**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. -[**Configuration score**](configuration-score.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. Selecting the bars will take you to the **Security recommendation** page. +[**Microsoft Secure Score for Devices**](tvm-microsoft-secure-score-devices.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your score for devices. Selecting the bars will take you to the **Security recommendation** page. **Device exposure distribution** | See how many devices are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Devices list** page and view the affected device names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags. **Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception. **Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page. @@ -88,11 +80,12 @@ See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-ico - [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) - [Exposure score](tvm-exposure-score.md) -- [Configuration score](configuration-score.md) +- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) +- [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index 3e920228a6..5391b7ca6b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -22,8 +22,14 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + Your Exposure score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your devices are less vulnerable from exploitation. +- Quickly understand and identify high-level takeaways about the state of security in your organization. +- Detect and respond to areas that require investigation or action to improve the current state. +- Communicate with peers and management about the impact of security efforts. + The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further. ![Exposure score card](images/tvm_exp_score.png) @@ -56,11 +62,12 @@ Lower your threat and vulnerability exposure by remediating [security recommenda - [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) - [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) -- [Configuration score](configuration-score.md) +- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) +- [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md similarity index 58% rename from windows/security/threat-protection/microsoft-defender-atp/configuration-score.md rename to windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md index 0577df46b2..5cdd484045 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md @@ -1,7 +1,7 @@ --- -title: Overview of Configuration score in Microsoft Defender Security Center -description: Your configuration score shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls -keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline +title: Overview of Microsoft Secure Score for Devices in Microsoft Defender Security Center +description: Your score for devices shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls +keywords: Microsoft Secure Score for Devices, mdatp Microsoft Secure Score for Devices, secure score, configuration score, security controls, improvement opportunities, security configuration score over time, security posture, baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -16,16 +16,16 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual --- -# Configuration score +# Microsoft Secure Score for Devices **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >[!NOTE] -> Secure score is now part of Threat & Vulnerability Management as Configuration score. +> Configuration score is now part of Threat & Vulnerability Management as Microsoft Secure Score for Devices. -Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories: +Your score for devices is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories: - Application - Operating system @@ -38,9 +38,9 @@ Select a category to go to the [**Security recommendations**](tvm-security-recom ## How it works >[!NOTE] -> Configuration score currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management. +> Microsoft Secure Score for Devices currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management. -The data in the configuration score card is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously: +The data in the Microsoft Secure Score for Devices card is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously: - Compare collected configurations to the collected benchmarks to discover misconfigured assets - Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) @@ -49,9 +49,9 @@ The data in the configuration score card is the product of meticulous and ongoin ## Improve your security configuration -You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your Configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities. +You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities. -1. From the Configuration score card in the Threat & Vulnerability Management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field. +1. From the Microsoft Secure Score for Devices card in the Threat & Vulnerability Management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field. 2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**. @@ -67,7 +67,7 @@ You can improve your security configuration when you remediate issues from the s 6. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system. -7. Review the **Configuration score** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase. +7. Review the **Microsoft Secure Score for Devices** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your Microsoft Secure Score for Devices should increase. >[!IMPORTANT] >To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network: @@ -91,5 +91,5 @@ You can improve your security configuration when you remediate issues from the s - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index bb9818de99..2c3f7a6ef5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -56,7 +56,7 @@ Once you are in the Remediation page, select the remediation activity that you w ## Exceptions -When you [file for an exception](tvm-security-recommendation.md#file-for-exception) from the [Security recommendations page](tvm-security-recommendation.md), you create an exception for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [configuration score](configuration-score.md). +When you [file for an exception](tvm-security-recommendation.md#file-for-exception) from the [Security recommendations page](tvm-security-recommendation.md), you create an exception for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status. @@ -77,11 +77,11 @@ The following statuses will be a part of an exception: ### Exception impact on scores -Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Configuration Score (for configurations) of your organization in the following manner: +Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Microsoft Secure Score for Devices of your organization in the following manner: -- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores +- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores. - **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control. -- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Configuration Score results out of the exception option that you made +- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Microsoft Secure Score for Devices results out of the exception option that you made. The exception impact shows on both the Security recommendations page column and in the flyout pane. @@ -99,10 +99,11 @@ Select **Show exceptions** at the bottom of the **Top security recommendations** - [Supported operating systems and platforms](tvm-supported-os.md) - [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) -- [Configuration score](configuration-score.md) +- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) +- [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index f32f8abb06..ad8c99b503 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -22,8 +22,7 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -> [!TIP] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -59,7 +58,7 @@ Go to the Threat & Vulnerability Management navigation menu and select **Securit ### Top security recommendations in the Threat & Vulnerability Management dashboard -In a given day as a Security Administrator, you can take a look at the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [configuration score](configuration-score.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. +In a given day as a Security Administrator, you can take a look at the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. ![Example of Top security recommendations card, with four security recommendations.](images/top-security-recommendations350.png) @@ -67,7 +66,7 @@ The top security recommendations lists the improvement opportunities prioritized ## Security recommendations overview -View recommendations, the number of weaknesses found, related components, threat insights, number of exposed devices, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags. +View recommendations, the number of weaknesses found, related components, threat insights, number of exposed devices, status, remediation type, remediation activities, impact to your exposure score and Microsoft Secure Score for Devices, and associated tags. The color of the **Exposed devices** graph changes as the trend changes. If the number of exposed devices is on the rise, the color changes into red. If there's a decrease in the number of exposed devices, the color of the graph will change into green. @@ -80,7 +79,7 @@ Useful icons also quickly calls your attention to: - ![red bug](images/tvm_bug_icon.png) associated public exploits - ![light bulb](images/tvm_insight_icon.png) recommendation insights -### Investigate +### Explore security recommendation options Select the security recommendation that you want to investigate or process. @@ -90,13 +89,21 @@ From the flyout, you can do any of the following: - **Open software page** - Open the software page to get more context on the software and how it is distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution. -- **Remediation options** - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address. +- [**Remediation options**](tvm-security-recommendation.md#request-remediation) - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address. -- **Exception options** - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet. +- [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet. >[!NOTE] >When a change is made on a device, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center. +### Investigate changes in machine exposure or impact + +If there is a large jump in the number of exposed machines, or a sharp increase in the impact on your organization exposure score and configuration score, then that security recommendation is worth investigating. + +1. Select the recommendation and **Open software page** +2. Select the **Event timeline** tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. [Learn more about event timeline](threat-and-vuln-mgt-event-timeline.md) +3. Decide how to address the increase or your organization's exposure, such as submitting a remediation request + ## Request remediation The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune. @@ -128,8 +135,6 @@ As an alternative to a remediation request, you can create exceptions for recomm There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons. -Exceptions can be created for both Security update and Configuration change recommendations. - When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list. 1. Select a security recommendation you would like create an exception for, and then **Exception options**. @@ -163,16 +168,53 @@ You can report a false positive when you see any vague, inaccurate, incomplete, 4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts. +## Find and remediate software or software versions which have reached end-of-support (EOS) + +End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks. + +It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end of support, and update versions that have reached end of support. It is best to create and implement a plan **before** the end of support dates. + +To find software or software versions which have reached end-of-support: + +1. From the Threat & Vulnerability Management menu, navigate to **Security recommendations**. +2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**. + + ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tag.png) + +3. You will see a list recommendations related to software that is end of support, software versions that are end of support, or upcoming end of support versions. These tags are also visible in the [software inventory](tvm-software-inventory.md) page. + + ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tags-column.png) + +### List of versions and dates + +To view a list of version that have reached end of support, or end or support soon, and those dates, follow the below steps: + +1. For software that has versions which have reached end of support, or will reach end of support soon, a message will appear in the flyout once the security recommendation is selected. + + ![Screenshot of version distribution link](images/eos-upcoming-eos.png) + +2. Select the **version distribution** link to go to the software drill down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support. + + ![Screenshot of version distribution link](images/software-drilldown-eos.png) + +3. Select one of the versions in the table to open. For example, version 10.0.18362.1. A flyout will appear with the end of support date. + + ![Screenshot of version distribution link](images/version-eos-date.png) + +After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. + + ## Related topics - [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) - [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) -- [Configuration score](configuration-score.md) +- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) +- [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index 381bdcdf15..9e6591f91c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -48,7 +48,13 @@ Select the software that you want to investigate and a flyout panel opens up wit ## Software pages -Once you are in the Software inventory page and have opened the flyout panel by selecting a software to investigate, select **Open software page** (see image in the previous section). A full page will appear with all the details of a specific software and the following information: +You can view software pages a few different ways: + +- Software inventory page > Select a software name > Select **Open software page** in the flyout +- [Security recommendations page](tvm-security-recommendation.md) > Select a recommendation > Select **Open software page** in the flyout +- [Event timeline page](threat-and-vuln-mgt-event-timeline.md) > Select an event > Select the hyperlinked software name (like Visual Studio 2017) in the section called "Related component" in the flyout + + A full page will appear with all the details of a specific software and the following information: - Side panel with vendor information, prevalence of the software in the organization (including number of devices it is installed on, and exposed devices that are not patched), whether and exploit is available, and impact to your exposure score - Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed devices @@ -80,10 +86,11 @@ You can report a false positive when you see any vague, inaccurate version, inco - [Supported operating systems and platforms](tvm-supported-os.md) - [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) -- [Configuration score](configuration-score.md) +- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Weaknesses](tvm-weaknesses.md) +- [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md index 0842174b9a..68cb359a5a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md @@ -1,7 +1,7 @@ --- title: Threat & Vulnerability Management supported operating systems and platforms description: Before you begin, ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your all devices are properly accounted for. -keywords: threat & vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, configuration score, exposure score +keywords: threat & vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score search.appverid: met150 search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -46,11 +46,12 @@ Some of the above prerequisites might be different from the [Minimum requirement - [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) -- [Configuration score](configuration-score.md) +- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) +- [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index 86a8667ca9..32379a298f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -127,10 +127,11 @@ You can report a false positive when you see any vague, inaccurate, incomplete, - [Supported operating systems and platforms](tvm-supported-os.md) - [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) -- [Configuration score](configuration-score.md) +- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) +- [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md index 1b8ecb7f27..3987410333 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use.md @@ -39,5 +39,5 @@ Topic | Description :---|:--- [Portal overview](portal-overview.md) | Understand the portal layout and area descriptions. [View the Security operations dashboard](security-operations-dashboard.md) | The Microsoft Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the devices on your network, investigate devices, files, and URLs, and see snapshots of threats seen on devices. -[View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) | The **Threat & Vulnerability Management dashboard** lets you view exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices. -[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to threats. Use the charts to quickly identify devices for the presence or absence of mitigations. \ No newline at end of file +[View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) | The **Threat & Vulnerability Management dashboard** lets you view exposure and Microsoft Secure Score for Devices side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices. +[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to threats. Use the charts to quickly identify devices for the presence or absence of mitigations. diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md index 0a88bbdd1d..bbcad993a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md @@ -24,11 +24,11 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) -Web content filtering is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns. +Web content filtering is part of [Web protection](web-protection-overview.md) capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns. -You can configure policies across your device groups to block certain categories, effectively preventing users within specified device groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption. However, web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions. If an element on the page you’re viewing is making calls to a resource which is blocked, you will see a block notification. +You can configure policies across your device groups to block certain categories, effectively preventing users within specified device groups from accessing URLs that are associated with the category. For any category that's not blocked, they are automatically audited i.e. your users will be able to access the URLs without disruption and you will continue to gather access statistics to help create a more custom policy decision. If an element on the page you’re viewing is making calls to a resource which is blocked, your users will see a block notification. -Web content filtering is available on most major web browsers, with blocks performed by SmartScreen (Edge) and Network Protection (Internet Explorer, Chrome, Firefox, and all other browsers). See the prerequisites section for more information about browser support. +Web content filtering is available on the major web browsers, with blocks performed by SmartScreen (Edge) and Network Protection (Chrome and Firefox). See the prerequisites section for more information about browser support. To summarize the benefits: @@ -38,8 +38,9 @@ To summarize the benefits: ## User experience -The standard blocking experience is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection. -For a more user-friendly experience, consider using SmartScreen on Edge. +The blocking experience for Chrome/Firefox is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection. + +For a more user-friendly in-browser experience, consider using Edge. ## Prerequisites @@ -47,51 +48,13 @@ Before trying out this feature, make sure you have the following: - Windows 10 Enterprise E5 license - Access to Microsoft Defender Security Center portal -- Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update (for Network Protection on Internet Explorer, Edge, Chrome, or Firefox) -- Devices running Windows 10 May 2019 Update (version 1903) or later (for a better user experience from SmartScreen on Edge). Note that if SmartScreen is not turned on, Network Protection will take over the blocking -- A valid license with a partner data provider +- Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update. +Note that if SmartScreen is not turned on, Network Protection will take over the blocking. ## Data handling For this feature, we will follow whichever region you have elected to use as part of your [Microsoft Defender ATP data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds. -## Partner licensing - -In order to give customers access to various sources of web content categorization data, we are very excited to partner with data providers for this feature. We’ve chosen [Cyren](https://www.cyren.com/threat-intelligence) as our first partner, who we’ve worked with closely to build an integrated solution. - -### About Cyren and Threat Intelligence Service for Microsoft Defender ATP - -Cyren’s URL filtering includes 70 categories, providing partners with the ability to build powerful and advanced web security applications. Cyren’s comprehensive categories provide the necessary flexibility for any implementation requirement. - -The broad range of categories enables numerous applications: - -- Protecting users browsing the web from threats such as malware and phishing sites -- Ensuring employee productivity -- Consumer services such as parental control - -Cyren's web content classification technology is integrated by design into Microsoft Defender ATP to enable web filtering and auditing capabilities. - -Learn more at https://www.cyren.com/products/url-filtering. - -### Cyren Permissions - -"Sign in and read user profile" allows Cyren to read your tenant info from your Microsoft Defender ATP account, such as your tenant ID, which will be tied to your Cyren license. - -"Read and Write Integration settings" exists under the WindowsDefenderATP scope within permissions. This line allows Cyren to add/modify/revoke Cyren license status on the Microsoft Defender ATP portal. - -### Signing up for a Cyren License - -Cyren is offering a 60-day free trial for all Microsoft Defender ATP customers. To sign up, please follow the steps below from the portal. - ->[!NOTE] ->Make sure to add the URL you get redirected to by the signup process to the list of approved domains. - ->[!NOTE] ->A user with AAD app admin/global admin permissions is required to complete these steps. - -1. Go to **Reports > Web protection** from the side navigation -2. Select the **Connect to a partner** button -3. Go through the flow from the flyout to register and connect your Cyren account ## Turn on web content filtering @@ -116,6 +79,8 @@ To add a new policy: >[!NOTE] >If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment. +>ProTip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy. + ## Web content filtering cards and details Select **Reports > Web protection** to view cards with information about web content filtering and web threat protection. The following cards provide summary information about web content filtering. @@ -154,18 +119,14 @@ You can access the **Report details** for each card by selecting a table row or Use the time range filter at the top left of the page to select a time period. You can also filter the information or customize the columns. Select a row to open a flyout pane with even more information about the selected item. + ## Errors and issues -### Why am I seeing the error "Need admin approval" when trying to connect to Cyren? - -You need to be logged in to an AAD account with either App administrator or Global Administrator privileges. Your IT admin would most likely either have these permissions and/or be able to grant them to you. - ### Limitations and known issues in this preview +- Only Edge is supported if your device's OS configuraiton is Server (cmd > Systeminfo > OS Configuration). This is because Network Protection is only supported in Inspect mode on Server devices which is responsible for securing traffic across Chrome/Firefox. - Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices in the interim before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts. -- The data in our reports may not be congruent with other data on the site. We currently do not support real-time data processing for this feature, so you may see inconsistencies between the data in our reports and the URL entity page. - ## Related topics - [Web protection overview](web-protection-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md index 60760b7cac..4f0891df0c 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md @@ -33,27 +33,29 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor Description +Windows 10, version 2004:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

    Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

    Windows 10, Version 1607 and earlier:
    Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen At least Windows Server 2012, Windows 8 or Windows RT This policy setting turns on Microsoft Defender SmartScreen.

    If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).

    If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

    If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen. -Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control -Windows 10, version 1703 +Windows 10, version 2004:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control +Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control +Windows 10, version 1703 This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

    This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

    Important: Using a trustworthy browser helps ensure that these protections work as expected.

    -Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

    Windows 10, Version 1607 and earlier:
    Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen +Windows 10, version 2004:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

    Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

    Windows 10, Version 1607 and earlier:
    Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen Microsoft Edge on Windows 10 or later This policy setting turns on Microsoft Defender SmartScreen.

    If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.

    If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

    If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen. -Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

    Windows 10, Version 1511 and 1607:
    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files +Windows 10, version 2004:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

    Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

    Windows 10, Version 1511 and 1607:
    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files Microsoft Edge on Windows 10, version 1511 or later This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.

    If you enable this setting, it stops employees from bypassing the warning, stopping the file download.

    If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files. -Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

    Windows 10, Version 1511 and 1607:
    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites +Windows 10, version 2004:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

    Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

    Windows 10, Version 1511 and 1607:
    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites Microsoft Edge on Windows 10, version 1511 or later This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.

    If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.

    If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md index 6660f7a19e..d58e9bcde6 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md @@ -22,7 +22,10 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Require smart card** security policy setting. +Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require smart card** security policy setting. + +> [!NOTE] +> You may need to download the ADMX template for your version of Windows to enable this policy to be applied. ## Reference diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 077d800cdc..d755422a84 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -70,7 +70,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi > - You can add the **-MultiplePolicyFormat** parameter when creating policies which will be deployed to computers which are running Windows build 1903+. For more information about multiple policies, see [Deploy multiple Windows Defender Application Control policies](deploy-multiple-windows-defender-application-control-policies.md). > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md). > - > - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned. + > - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the tool will scan the C-drive by default. > > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md index 99be4872aa..489cb3373f 100644 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -150,7 +150,7 @@ Windows Sandbox also has improved accessibility in this release, including: With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM's memory could grow, but would not shrink when no longer needed. -[WSL2](https://docs.microsoft.com/windows/wsl/wsl2-index) support is has been added for ARM64 devices if your device supports virtualization. +[WSL2](https://docs.microsoft.com/windows/wsl/wsl2-index) support has been added for ARM64 devices if your device supports virtualization. For a full list of updates to WSL, see the [WSL release notes](https://docs.microsoft.com/windows/wsl/release-notes).