From ec9a88a0a568529121b2be66ff5c32abd81c305b Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Fri, 15 Jan 2021 20:04:54 -0800 Subject: [PATCH 01/30] Update faq-md-app-guard.md --- .../faq-md-app-guard.md | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index ab42d2eb12..042ec80a0c 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -159,6 +159,28 @@ ICS is enabled by default in Windows, and ICS must be enabled in order for Appli 5. Reboot the device. +### Why doesn't the container not fully load when Device Control Policies are enabled? +The whitelisting of these items are required to be allowed in the GPO to ensure AppGuard works properly. + +Policy: Allow installation of devices that match any of these device IDs +• SCSI\DiskMsft____Virtual_Disk____ +• {8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba +• VMS_VSF +• root\Vpcivsp +• root\VMBus +• vms_mp +• VMS_VSP +• ROOT\VKRNLINTVSP +• ROOT\VID +• root\storvsp +• vms_vsmp +• VMS_PP + +Policy: Allow installation of devices using drivers that match these device setup classes +• {71a27cdd-812a-11d0-bec7-08002be2092f} + + + ## See also -[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard) \ No newline at end of file +[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard) From 97f1d8c92876ceb5ec0f1bad282bdcdcec89971f Mon Sep 17 00:00:00 2001 From: Ananta Gupta Date: Mon, 18 Jan 2021 10:21:26 +0530 Subject: [PATCH 02/30] Minor update in puppet documentation --- .../microsoft-defender-atp/linux-install-with-puppet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 46100ac983..457f22019b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -157,7 +157,7 @@ $version = undef } file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json': - source => 'puppet:///modules/mdatp/mdatp_onboard.json', + source => 'puppet:///modules/install_mdatp/mdatp_onboard.json', owner => root, group => root, mode => '0600', From 898d1005ef168322558437b967c02905287c6e12 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Mon, 18 Jan 2021 14:50:05 +0200 Subject: [PATCH 03/30] add information about Endpoint Manager https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8906 --- .../enable-exploit-protection.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 91a6dc887a..2e681ebc9a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -125,6 +125,21 @@ The result will be that DEP will be enabled for *test.exe*. DEP will not be enab Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode. +## Microsoft Endpoint Manager + +1. In Microsoft Endpoint Manager, click **Endpoint Security** > **Attack surface reduction** + +2. Click **Create Policy**, select **Platform** and under **Profile** choose **Exploit Protection**. Click **Create**. + +3. Enter a name and a description and click **Next**. + +4. Click **Select XML File** and browse to the location of the exploit protection XML file, select it, and click **Next**. + +5. Configure **Scope tags** and **Assignments** if necessary. + +6. Under **Review + create**, review the configuration and click **Create** if everything is ok. + + ## Microsoft Endpoint Configuration Manager 1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. From e7491730ab4ee920cd8c6f29d27754a4d9edf369 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Mon, 18 Jan 2021 11:11:10 -0800 Subject: [PATCH 04/30] Update windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-application-guard/faq-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index 042ec80a0c..aa8e4b49ee 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -159,7 +159,7 @@ ICS is enabled by default in Windows, and ICS must be enabled in order for Appli 5. Reboot the device. -### Why doesn't the container not fully load when Device Control Policies are enabled? +### Why doesn't the container fully load when device control policies are enabled? The whitelisting of these items are required to be allowed in the GPO to ensure AppGuard works properly. Policy: Allow installation of devices that match any of these device IDs From ab2e1f5f7b6e84b0349ffe9d3009cb714d8f045c Mon Sep 17 00:00:00 2001 From: Ananta Gupta Date: Tue, 19 Jan 2021 14:15:14 +0530 Subject: [PATCH 05/30] Minor change in linux preferences document --- .../microsoft-defender-atp/linux-preferences.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md index 2ec4ae0d08..9de10e2397 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md @@ -200,7 +200,7 @@ Type of threat for which the behavior is configured. Action to take when coming across a threat of the type specified in the preceding section. Can be: - **Audit**: The device is not protected against this type of threat, but an entry about the threat is logged. -- **Block**: The device is protected against this type of threat and you are notified in the user interface and the security console. +- **Block**: The device is protected against this type of threat and you are notified in the security console. - **Off**: The device is not protected against this type of threat and nothing is logged. ||| From dc9cff975c793b19001079ad603529c9daac4b0a Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Tue, 19 Jan 2021 11:22:40 +0200 Subject: [PATCH 06/30] Update windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/enable-exploit-protection.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 2e681ebc9a..a3dacf2086 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -127,13 +127,13 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt ## Microsoft Endpoint Manager -1. In Microsoft Endpoint Manager, click **Endpoint Security** > **Attack surface reduction** +1. In Microsoft Endpoint Manager, click **Endpoint Security** > **Attack surface reduction**. -2. Click **Create Policy**, select **Platform** and under **Profile** choose **Exploit Protection**. Click **Create**. +2. Click **Create Policy**, select **Platform**, and under **Profile** choose **Exploit Protection**. Click **Create**. -3. Enter a name and a description and click **Next**. +3. Enter a name and a description, and click **Next**. -4. Click **Select XML File** and browse to the location of the exploit protection XML file, select it, and click **Next**. +4. Click **Select XML File** and browse to the location of the exploit protection XML file, then select it and click **Next**. 5. Configure **Scope tags** and **Assignments** if necessary. From a8f869749b47abae45adbce4b57ea2a267b3c570 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 20 Jan 2021 12:18:20 +0200 Subject: [PATCH 07/30] Update attack-surface-reduction.md Added note to avoid customer questions and support cases on ASR running in passive mode (which can't work) --- .../microsoft-defender-atp/attack-surface-reduction.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index c0c77ae782..8d36dbefc9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -63,6 +63,7 @@ Warn mode helps your organization have attack surface reduction rules in place w Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later +- Microsoft Defender antivirus with Real-time protection running in [Active mode](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed - Minimum platform release requirement: `4.18.2008.9` From a5401ac9b5dd57fc5035d576a6932cf5be74c753 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 20 Jan 2021 14:42:24 +0200 Subject: [PATCH 08/30] Update attack-surface-reduction.md Removed en-us to not break localization --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 8d36dbefc9..49da59cd29 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -63,7 +63,7 @@ Warn mode helps your organization have attack surface reduction rules in place w Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later -- Microsoft Defender antivirus with Real-time protection running in [Active mode](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) +- Microsoft Defender antivirus with Real-time protection running in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed - Minimum platform release requirement: `4.18.2008.9` From ee27514dbf3fc1cd9c4503cda2356959f8a774b9 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 20 Jan 2021 14:48:31 +0200 Subject: [PATCH 09/30] Update attack-surface-reduction.md changed to Antivirus with capital A --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 49da59cd29..bd4aac0ddc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -63,7 +63,7 @@ Warn mode helps your organization have attack surface reduction rules in place w Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later -- Microsoft Defender antivirus with Real-time protection running in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) +- Microsoft Defender Antivirus with Real-time protection running in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed - Minimum platform release requirement: `4.18.2008.9` From 75cafe24fec496d12d4e8caf0bb986df565d1a0f Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 20 Jan 2021 14:53:56 +0200 Subject: [PATCH 10/30] Update attack-surface-reduction.md minor change to note to make it more logical as we are describing 'supported on devices running the following versions of Windows' --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index bd4aac0ddc..02d23be40a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -63,7 +63,7 @@ Warn mode helps your organization have attack surface reduction rules in place w Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later -- Microsoft Defender Antivirus with Real-time protection running in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) +Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed - Minimum platform release requirement: `4.18.2008.9` From ad1767c4ef0e5ab96d9d1f71b5e242cc673041b3 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 20 Jan 2021 14:54:54 +0200 Subject: [PATCH 11/30] Update attack-surface-reduction.md missing - --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 02d23be40a..70e2fcf02b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -63,7 +63,7 @@ Warn mode helps your organization have attack surface reduction rules in place w Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later -Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) +- Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed - Minimum platform release requirement: `4.18.2008.9` From 2ec659de3431aa0f79af1eefcf05905205f6fe74 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 20 Jan 2021 15:04:34 +0200 Subject: [PATCH 12/30] Update attack-surface-reduction.md remove '-' and lowered one line to avoid coloring in purple --- .../microsoft-defender-atp/attack-surface-reduction.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 70e2fcf02b..1378e9274d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -63,7 +63,8 @@ Warn mode helps your organization have attack surface reduction rules in place w Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later -- Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) + +Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed - Minimum platform release requirement: `4.18.2008.9` From ac57c10f4fbc62cc000c46bfd6ad9a4e5e28ec5a Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 20 Jan 2021 20:06:19 +0200 Subject: [PATCH 13/30] Update windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 1378e9274d..febb1d419b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -64,7 +64,7 @@ Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later -Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) +Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state). In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed - Minimum platform release requirement: `4.18.2008.9` From 0728cd56c66fca2f393a26fca18a1cfc27ef6fc7 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 20 Jan 2021 20:06:39 +0200 Subject: [PATCH 14/30] Update windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index febb1d419b..52f0a3ddf6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -66,7 +66,7 @@ Warn mode is supported on devices running the following versions of Windows: Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state). -In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed +In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed. - Minimum platform release requirement: `4.18.2008.9` - Minimum engine release requirement: `1.1.17400.5` From 6941245d72b580c81b69e8a5879427d40d81225d Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Wed, 20 Jan 2021 12:11:11 -0800 Subject: [PATCH 15/30] Update windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../faq-md-app-guard.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index aa8e4b49ee..1848ca38b2 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -163,21 +163,21 @@ ICS is enabled by default in Windows, and ICS must be enabled in order for Appli The whitelisting of these items are required to be allowed in the GPO to ensure AppGuard works properly. Policy: Allow installation of devices that match any of these device IDs -• SCSI\DiskMsft____Virtual_Disk____ -• {8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba -• VMS_VSF -• root\Vpcivsp -• root\VMBus -• vms_mp -• VMS_VSP -• ROOT\VKRNLINTVSP -• ROOT\VID -• root\storvsp -• vms_vsmp -• VMS_PP +- SCSI\DiskMsft____Virtual_Disk____ +- {8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba +- VMS_VSF +- root\Vpcivsp +- root\VMBus +- vms_mp +- VMS_VSP +- ROOT\VKRNLINTVSP +- ROOT\VID +- root\storvsp +- vms_vsmp +- VMS_PP Policy: Allow installation of devices using drivers that match these device setup classes -• {71a27cdd-812a-11d0-bec7-08002be2092f} +- {71a27cdd-812a-11d0-bec7-08002be2092f} From 5ed21322d0b66b4c73b15eaf3e3104299d645813 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 16:33:35 -0800 Subject: [PATCH 16/30] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 52f0a3ddf6..72473b65c6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -14,7 +14,7 @@ ms.author: deniseb ms.reviewer: sugamar, jcedola manager: dansimp ms.custom: asr -ms.date: 01/08/2021 +ms.date: 01/20/2021 --- # Use attack surface reduction rules to prevent malware infection @@ -24,7 +24,7 @@ ms.date: 01/08/2021 **Applies to:** -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Why attack surface reduction rules are important From 2650f302b61b16b5037656a2360d00a652c7e20c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 16:35:51 -0800 Subject: [PATCH 17/30] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 72473b65c6..cf10e80626 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -64,7 +64,7 @@ Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later -Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state). +Microsoft Defender Antivirus must be running with real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state). In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed. - Minimum platform release requirement: `4.18.2008.9` @@ -126,13 +126,9 @@ DeviceEvents You can review the Windows event log to view events generated by attack surface reduction rules: 1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device. - 2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer. - 3. Under **Actions**, select **Import custom view...**. - 4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md). - 5. Select **OK**. You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access: @@ -465,9 +461,6 @@ GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` ## See also - [Attack surface reduction FAQ](attack-surface-reduction-faq.md) - - [Enable attack surface reduction rules](enable-attack-surface-reduction.md) - - [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) - - [Compatibility of Microsoft Defender Antivirus with other antivirus/antimalware solutions](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) From e4f4593dff80eedc07f0af77aa5b8df6dbd04868 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 16:49:07 -0800 Subject: [PATCH 18/30] Update enable-exploit-protection.md --- .../enable-exploit-protection.md | 110 +++++++++--------- 1 file changed, 55 insertions(+), 55 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index a3dacf2086..aafa081de2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -46,13 +46,13 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au ## Windows Security app -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Security**. +1. Open the Windows Security app by selecting the shield icon in the task bar or by searching the start menu for **Security**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**. +2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection settings**. 3. Go to **Program settings** and choose the app you want to apply mitigations to.
- - If the app you want to configure is already listed, click it and then click **Edit**. - - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
+ - If the app you want to configure is already listed, select it, and then select **Edit**. + - If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. @@ -60,12 +60,12 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au 5. Repeat steps 3-4 for all the apps and mitigations you want to configure. -6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
+6. Under the **System settings** section, find the mitigation you want to configure and then specify one of the following settings. Apps that aren't configured individually in the **Program settings** section use the settings that are configured here.
- **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation -7. Repeat step 6 for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +7. Repeat step 6 for all the system-level mitigations you want to configure. Select **Apply** when you're done setting up your configuration. If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: @@ -80,7 +80,7 @@ If you add an app to the **Program settings** section and configure individual m Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Mikael enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section. -The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied. +The result is that DEP is enabled only for *test.exe*. All other apps will not have DEP applied. ### Example 2: Josie configures Data Execution Prevention in system settings to be off by default @@ -88,38 +88,38 @@ Josie adds the app *test.exe* to the **Program settings** section. In the option Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. Josie doesn't enable the **Override system settings** option for DEP or any other mitigations for that app. -The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*. +The result is that DEP is enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*. -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. +2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**. 3. Go to **Program settings** and choose the app you want to apply mitigations to.
- - If the app you want to configure is already listed, click it and then click **Edit**. - - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
+ - If the app you want to configure is already listed, select it, and then select **Edit**. + - If the app is not listed, at the top of the list se;ect **Add program to customize** and then choose how you want to add the app.
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. -5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration. ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. -2. Click **Device configuration** > **Profiles** > **Create profile**. +2. Go to **Device configuration** > **Profiles** > **Create profile**. 3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. +4. Select **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. 5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
![Enable network protection in Intune](../images/enable-ep-intune.png)
-6. Click **OK** to save each open blade and click **Create**. +6. Select **OK** to save each open blade, and then choose **Create**. -7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. +7. Select the profile **Assignments** tab, assign the policy to **All Users & All Devices**, and then select **Save**. ## MDM @@ -127,42 +127,42 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt ## Microsoft Endpoint Manager -1. In Microsoft Endpoint Manager, click **Endpoint Security** > **Attack surface reduction**. +1. In Microsoft Endpoint Manager, go to **Endpoint Security** > **Attack surface reduction**. -2. Click **Create Policy**, select **Platform**, and under **Profile** choose **Exploit Protection**. Click **Create**. +2. Select **Create Policy** > **Platform**, and for **Profile**, choose **Exploit Protection**. Then select **Create**. -3. Enter a name and a description, and click **Next**. +3. Specify a name and a description, and then choose **Next**. -4. Click **Select XML File** and browse to the location of the exploit protection XML file, then select it and click **Next**. +4. Select **Select XML File** and browse to the location of the exploit protection XML file. Select the file, and then choose **Next**. 5. Configure **Scope tags** and **Assignments** if necessary. -6. Under **Review + create**, review the configuration and click **Create** if everything is ok. +6. Under **Review + create**, review the configuration and then choose **Create**. ## Microsoft Endpoint Configuration Manager -1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. -2. Click **Home** > **Create Exploit Guard Policy**. +2. Select **Home** > **Create Exploit Guard Policy**. -3. Enter a name and a description, click **Exploit protection**, and click **Next**. +3. Specify a name and a description, select **Exploit protection**, and then choose **Next**. -4. Browse to the location of the exploit protection XML file and click **Next**. +4. Browse to the location of the exploit protection XML file and select **Next**. -5. Review the settings and click **Next** to create the policy. +5. Review the settings, and then choose **Next** to create the policy. -6. After the policy is created, click **Close**. +6. After the policy is created, select **Close**. ## Group Policy 1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**. -4. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**. +4. Select **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard), and then choose **OK**. ## PowerShell @@ -222,27 +222,27 @@ This table lists the individual **Mitigations** (and **Audits**, when available) | Mitigation type | Applies to | Mitigation cmdlet parameter keyword | Audit mode cmdlet parameter | | :-------------- | :--------- | :---------------------------------- | :-------------------------- | -| Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available | -| Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available | -| Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available | -| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available -| Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available | -| Validate heap integrity | System and app-level | TerminateOnError | Audit not available | -| Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode | -| Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad | -| Block remote images | App-level only | BlockRemoteImages | Audit not available | -| Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly | -| Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned | -| Disable extension points | App-level only | ExtensionPoint | Audit not available | -| Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall | -| Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess | -| Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\] | -| Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] | -| Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\] | -| Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\] | -| Validate handle usage | App-level only | StrictHandle | Audit not available | -| Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available | -| Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\] | +| Control flow guard (CFG) | System and app-level | `CFG`, `StrictCFG`, `SuppressExports` | Audit not available | +| Data Execution Prevention (DEP) | System and app-level | `DEP`, `EmulateAtlThunks` | Audit not available | +| Force randomization for images (Mandatory ASLR) | System and app-level | `ForceRelocateImages` | Audit not available | +| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | `BottomUp`, `HighEntropy` | Audit not available +| Validate exception chains (SEHOP) | System and app-level | `SEHOP`, `SEHOPTelemetry` | Audit not available | +| Validate heap integrity | System and app-level | `TerminateOnError` | Audit not available | +| Arbitrary code guard (ACG) | App-level only | `DynamicCode` | `AuditDynamicCode` | +| Block low integrity images | App-level only | `BlockLowLabel` | `AuditImageLoad` | +| Block remote images | App-level only | `BlockRemoteImages` | Audit not available | +| Block untrusted fonts | App-level only | `DisableNonSystemFonts` | `AuditFont`, `FontAuditOnly` | +| Code integrity guard | App-level only | `BlockNonMicrosoftSigned`, `AllowStoreSigned` | AuditMicrosoftSigned, AuditStoreSigned | +| Disable extension points | App-level only | `ExtensionPoint` | Audit not available | +| Disable Win32k system calls | App-level only | `DisableWin32kSystemCalls` | `AuditSystemCall` | +| Do not allow child processes | App-level only | `DisallowChildProcessCreation` | `AuditChildProcess` | +| Export address filtering (EAF) | App-level only | `EnableExportAddressFilterPlus`, `EnableExportAddressFilter` \[1\] | Audit not available\[2\] | +| Import address filtering (IAF) | App-level only | `EnableImportAddressFilter` | Audit not available\[2\] | +| Simulate execution (SimExec) | App-level only | `EnableRopSimExec` | Audit not available\[2\] | +| Validate API invocation (CallerCheck) | App-level only | `EnableRopCallerCheck` | Audit not available\[2\] | +| Validate handle usage | App-level only | `StrictHandle` | Audit not available | +| Validate image dependency integrity | App-level only | `EnforceModuleDepencySigning` | Audit not available | +| Validate stack integrity (StackPivot) | App-level only | `EnableRopStackPivot` | Audit not available\[2\] | \[1\]: Use the following format to enable EAF modules for DLLs for a process: @@ -253,10 +253,10 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu ## Customize the notification -See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. +See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) article for more information about customizing the notification when a rule is triggered and blocks an app or file. ## See also -* [Evaluate exploit protection](evaluate-exploit-protection.md) -* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) -* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Evaluate exploit protection](evaluate-exploit-protection.md) +- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) From eee81169e423a772145ed9ed0b340cb62779f1fd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 16:54:30 -0800 Subject: [PATCH 19/30] Update faq-md-app-guard.md --- .../faq-md-app-guard.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index 1848ca38b2..fa3402a679 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 11/03/2020 +ms.date: 01/21/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -146,7 +146,7 @@ There is a known issue such that if you change the Exploit Protection settings f ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. -1. In the Group Policy setting called, *Prohibit use of Internet Connection Sharing on your DNS domain network*, set it to **Disabled**. +1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. 2. Disable IpNat.sys from ICS load as follows:
`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` @@ -160,24 +160,24 @@ ICS is enabled by default in Windows, and ICS must be enabled in order for Appli 5. Reboot the device. ### Why doesn't the container fully load when device control policies are enabled? -The whitelisting of these items are required to be allowed in the GPO to ensure AppGuard works properly. +Allow-listed items must be configured as "allowed" in the Group Policy Object ensure AppGuard works properly. Policy: Allow installation of devices that match any of these device IDs -- SCSI\DiskMsft____Virtual_Disk____ -- {8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba -- VMS_VSF -- root\Vpcivsp -- root\VMBus -- vms_mp -- VMS_VSP -- ROOT\VKRNLINTVSP -- ROOT\VID -- root\storvsp -- vms_vsmp -- VMS_PP +- `SCSI\DiskMsft____Virtual_Disk____` +- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` +- `VMS_VSF` +- `root\Vpcivsp` +- `root\VMBus` +- `vms_mp` +- `VMS_VSP` +- `ROOT\VKRNLINTVSP` +- `ROOT\VID` +- `root\storvsp` +- `vms_vsmp` +- `VMS_PP` Policy: Allow installation of devices using drivers that match these device setup classes -- {71a27cdd-812a-11d0-bec7-08002be2092f} +- `{71a27cdd-812a-11d0-bec7-08002be2092f}` From 8447db3932bab19ae311d31c2f4b71518046b009 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 16:59:28 -0800 Subject: [PATCH 20/30] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index d1fbec7602..cfe3a3b543 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -13,7 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: tewchen, pahuijbr, shwjha manager: dansimp -ms.date: 01/11/2021 +ms.date: 01/21/2021 --- # Microsoft Defender Antivirus compatibility From 8d61742e2b7149360bbd336c1ae6570b8897bba1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 17:03:31 -0800 Subject: [PATCH 21/30] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index cfe3a3b543..7b5e23bd1d 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -47,14 +47,17 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh | Windows Server 2016 or 2019 | Microsoft Defender Antivirus | Yes | Active mode | | Windows Server 2016 or 2019 | Microsoft Defender Antivirus | No | Active mode | -(1) On Windows Server 2016 or 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server. +(1) On Windows Server, version 1803 or newer, or Windows Server 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server. -If you are using Windows Server, version 1803 or Windows Server 2019, you set Microsoft Defender Antivirus to passive mode by setting this registry key: +If you are using Windows Server, version 1803 or newer, or Windows Server 2019, set Microsoft Defender Antivirus to passive mode by setting this registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` - Name: `ForceDefenderPassiveMode` - Type: `REG_DWORD` - Value: `1` +> [!NOTE] +> The `ForceDefenderPassiveMode` registry key is not supported on Windows Server 2016. + See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations. > [!IMPORTANT] From e2c503e9ee71bb8a38959667b3b79793da2e03be Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 17:14:57 -0800 Subject: [PATCH 22/30] Update microsoft-defender-antivirus-compatibility.md --- ...icrosoft-defender-antivirus-compatibility.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 7b5e23bd1d..46b7cc2375 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -38,14 +38,15 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh | Windows version | Antimalware protection | Microsoft Defender for Endpoint enrollment | Microsoft Defender Antivirus state | |------|------|-------|-------| -| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode | -| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode | -| Windows 10 | Microsoft Defender Antivirus | Yes | Active mode | -| Windows 10 | Microsoft Defender Antivirus | No | Active mode | -| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] | -| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)] | -| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | Yes | Active mode | -| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | No | Active mode | +| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode | +| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode | +| Windows 10 | Microsoft Defender Antivirus | Yes | Active mode | +| Windows 10 | Microsoft Defender Antivirus | No | Active mode | +| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] | +| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No | Must be set to passive mode (manually)[[1](#fn1)] | +| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | Yes | Active mode | +| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | No | Active mode | +| Windows Server 2016 | (1) On Windows Server, version 1803 or newer, or Windows Server 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server. From d10b40afc256e861288a93668c30574429bb9f58 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 17:18:31 -0800 Subject: [PATCH 23/30] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 46b7cc2375..c45faf38d2 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -46,11 +46,14 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh | Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No | Must be set to passive mode (manually)[[1](#fn1)] | | Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | Yes | Active mode | | Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | No | Active mode | -| Windows Server 2016 | +| Windows Server 2016 | Microsoft Defender Antivirus | Yes | Active mode | +| Windows Server 2016 | Microsoft Defender Antivirus | No | Active mode | +| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Must be disabled (manually) | +| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually) | (1) On Windows Server, version 1803 or newer, or Windows Server 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server. -If you are using Windows Server, version 1803 or newer, or Windows Server 2019, set Microsoft Defender Antivirus to passive mode by setting this registry key: +If you are using Windows Server, version 1803 or newer, or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` - Name: `ForceDefenderPassiveMode` - Type: `REG_DWORD` From 41bfb6b812a58807aeb91015fc2a91ffd8b60a7f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 17:19:25 -0800 Subject: [PATCH 24/30] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index c45faf38d2..0692acb1cc 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -65,7 +65,7 @@ If you are using Windows Server, version 1803 or newer, or Windows Server 2019, See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations. > [!IMPORTANT] -> Microsoft Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019. +> Microsoft Defender Antivirus is only available on devices running Windows 10, Windows Server 2016, Windows Server, version 1803 or later, and Windows Server 2019. > > In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager. > From ef0d62339eb41daa0eea559148041bdbca9848fd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 17:21:35 -0800 Subject: [PATCH 25/30] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 0692acb1cc..a6bc15c92a 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -88,7 +88,7 @@ The table in this section summarizes the functionality and features that are ava - In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). - In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode. - When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items. -- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended. +- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution. ## Keep the following points in mind From 42556272847a811b535fac7e4f3c6a5d1bcd5a04 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 17:35:48 -0800 Subject: [PATCH 26/30] Update microsoft-defender-antivirus-on-windows-server-2016.md --- ...fender-antivirus-on-windows-server-2016.md | 45 ++++++++++++------- 1 file changed, 30 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md index c16f2a4930..353bfe7752 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md @@ -10,7 +10,7 @@ ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 01/04/2021 +ms.date: 01/21/2021 ms.reviewer: pahuijbr, shwjha manager: dansimp --- @@ -23,9 +23,12 @@ manager: dansimp - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Microsoft Defender Antivirus is available on Windows Server 2016 and 2019. In some instances, Microsoft Defender Antivirus is referred to as *Endpoint Protection*; however, the protection engine is the same. +Microsoft Defender Antivirus is available on the following editions/versions of Windows Server: +- Windows Server 2019 +- Windows Server, version 1803 or later +- Windows Server 2016. -While the functionality, configuration, and management are largely the same for [Microsoft Defender Antivirus on Windows 10](microsoft-defender-antivirus-in-windows-10.md), there are a few key differences on Windows Server 2016 and 2019: +In some instances, Microsoft Defender Antivirus is referred to as *Endpoint Protection*; however, the protection engine is the same. Although the functionality, configuration, and management are largely the same for [Microsoft Defender Antivirus on Windows 10](microsoft-defender-antivirus-in-windows-10.md), there are a few key differences on Windows Server: - In Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role. - In Windows Server, Microsoft Defender Antivirus does not automatically disable itself if you are running another antivirus product. @@ -34,29 +37,29 @@ While the functionality, configuration, and management are largely the same for The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps: -1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019). -2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019). +1. [Enable the interface](#enable-the-user-interface-on-windows-server). +2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server). 3. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running). 4. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence). 5. (As needed) [Submit samples](#submit-samples). 6. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions). 7. (Only if necessary) [Set Microsoft Defender Antivirus to passive mode](#need-to-set-microsoft-defender-antivirus-to-passive-mode). -## Enable the user interface on Windows Server 2016 or 2019 +## Enable the user interface on Windows Server -By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2016 and 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or by using PowerShell. +By default, Microsoft Defender Antivirus is installed and functional on Windows Server. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. If the GUI is not installed on your server, you can add it by using the **Add Roles and Features** wizard, or by using PowerShell cmdlets. ### Turn on the GUI using the Add Roles and Features Wizard -1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**. +1. See [Install roles, role services, and features by using the add Roles and Features Wizard](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**. 2. When you get to the **Features** step of the wizard, under **Windows Defender Features**, select the **GUI for Windows Defender** option. -In Windows Server 2016, the **Add Roles and Features Wizard** looks like this: + In Windows Server 2016, the **Add Roles and Features Wizard** looks like this: -![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png) + ![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png) -In Windows Server 2019, the **Add Roles and Feature Wizard** looks much the same. + In Windows Server 2019, the **Add Roles and Feature Wizard** is similar. ### Turn on the GUI using PowerShell @@ -66,7 +69,7 @@ The following PowerShell cmdlet will enable the interface: Install-WindowsFeature -Name Windows-Defender-GUI ``` -## Install Microsoft Defender Antivirus on Windows Server 2016 or 2019 +## Install Microsoft Defender Antivirus on Windows Server You can use either the **Add Roles and Features Wizard** or PowerShell to install Microsoft Defender Antivirus. @@ -111,7 +114,7 @@ The `sc query` command returns information about the Microsoft Defender Antiviru ## Update antimalware Security intelligence -In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage. +To get updated antimalware security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage. By default, Windows Update does not download and install updates automatically on Windows Server 2019 or Windows Server 2016. You can change this configuration by using one of the following methods: @@ -195,10 +198,22 @@ To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell c Uninstall-WindowsFeature -Name Windows-Defender-GUI ``` +### Are you using Windows Server 2016? + +If you are using Windows Server 2016 and a third-party antimalware/antivirus product that is not offered or developed by Microsoft, you'll need to disable/uninstall Microsoft Defender Antivirus. + +> [!NOTE] +> You can't uninstall the Windows Security app, but you can disable the interface with these instructions. + +The following PowerShell cmdlet uninstalls Microsoft Defender Antivirus on Windows Server 2016: + +```PowerShell +Uninstall-WindowsFeature -Name Windows-Defender +``` + ## See also - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - -- [Configure exclusions in Microsoft Defender AV on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md) From e72cde14b8c06a9e8261c1e1ea7ee71c4afa0ea6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 17:38:51 -0800 Subject: [PATCH 27/30] Update microsoft-defender-antivirus-on-windows-server-2016.md --- .../microsoft-defender-antivirus-on-windows-server-2016.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md index 353bfe7752..abb618c7a2 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md @@ -1,5 +1,5 @@ --- -title: Microsoft Defender Antivirus on Windows Server 2016 and 2019 +title: Microsoft Defender Antivirus on Windows Server description: Learn how to enable and configure Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019. keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012 search.product: eADQiWindows 10XVcnh @@ -15,7 +15,7 @@ ms.reviewer: pahuijbr, shwjha manager: dansimp --- -# Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 +# Microsoft Defender Antivirus on Windows Server [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] From 400c3845e5e3d30912695c0762f6cfa43480681a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 17:43:58 -0800 Subject: [PATCH 28/30] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index a6bc15c92a..48a74184e5 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -48,8 +48,8 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh | Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | No | Active mode | | Windows Server 2016 | Microsoft Defender Antivirus | Yes | Active mode | | Windows Server 2016 | Microsoft Defender Antivirus | No | Active mode | -| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Must be disabled (manually) | -| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually) | +| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Must be disabled (manually)[[2](#fn2)] | +| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually)[[2](#fn2)] | (1) On Windows Server, version 1803 or newer, or Windows Server 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server. @@ -62,7 +62,9 @@ If you are using Windows Server, version 1803 or newer, or Windows Server 2019, > [!NOTE] > The `ForceDefenderPassiveMode` registry key is not supported on Windows Server 2016. -See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations. +(2) On Windows Server 2016, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In addition, Microsoft Defender Antivirus is not supported in passive mode. In those cases, [disable/uninstall Microsoft Defender Antivirus manually](microsoft-defender-antivirus-on-windows-server-2016.md#are-you-using-windows-server-2016) to prevent problems caused by having multiple antivirus products installed on a server. + +See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations. > [!IMPORTANT] > Microsoft Defender Antivirus is only available on devices running Windows 10, Windows Server 2016, Windows Server, version 1803 or later, and Windows Server 2019. From 335d1e5f9d55d815a9568d45ffa5a8f55d34fc37 Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Wed, 20 Jan 2021 18:15:27 -0800 Subject: [PATCH 29/30] fixing policy conflict description --- .../hello-manage-in-organization.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index 18f6f3dbf0..c21280812b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -15,7 +15,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 4/16/2017 +ms.date: 1/20/2021 --- # Manage Windows Hello for Business in your organization @@ -369,9 +369,11 @@ For more information about using the PIN recovery service for PIN reset see [Win Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device. -Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. All PIN complexity policies are grouped together and enforced from a single policy source. +Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. -Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies is enforced on a per policy basis. +Feature enablement policy and certificate trust policy are grouped together and enforced from the same source (either GP or MDM), based on the rule above. The Use Passport for Work policy is used to determine the winning policy source. + +All PIN complexity policies, are grouped separately from feature enablement and are enforced from a single policy source. Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies are enforced on a per policy basis. >[!NOTE] > Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP. @@ -382,8 +384,6 @@ Use a hardware security device and RequireSecurityDevice enforcement are also gr > >- Use Windows Hello for Business - Enabled >- User certificate for on-premises authentication - Enabled ->- Require digits - Enabled ->- Minimum PIN length - 6 > >The following are configured using device MDM Policy: > @@ -398,8 +398,10 @@ Use a hardware security device and RequireSecurityDevice enforcement are also gr > >- Use Windows Hello for Business - Enabled >- Use certificate for on-premises authentication - Enabled ->- Require digits - Enabled ->- Minimum PIN length - 6d +>- MinimumPINLength - 8 +>- Digits - 1 +>- LowercaseLetters - 1 +>- SpecialCharacters - 1 ## How to use Windows Hello for Business with Azure Active Directory From dcfe63e86640629e005d2ac01d4ef8389d3059b6 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 21 Jan 2021 09:51:09 -0800 Subject: [PATCH 30/30] Acrolinx: "se;ect", "Powershell" --- .../enable-exploit-protection.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index aafa081de2..2ff87af1ae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -96,7 +96,7 @@ The result is that DEP is enabled for *test.exe*. DEP will not be enabled for an 3. Go to **Program settings** and choose the app you want to apply mitigations to.
- If the app you want to configure is already listed, select it, and then select **Edit**. - - If the app is not listed, at the top of the list se;ect **Add program to customize** and then choose how you want to add the app.
+ - If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. @@ -110,12 +110,15 @@ The result is that DEP is enabled for *test.exe*. DEP will not be enabled for an 2. Go to **Device configuration** > **Profiles** > **Create profile**. -3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
+3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. + ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
4. Select **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. -5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
![Enable network protection in Intune](../images/enable-ep-intune.png)
+5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings: + + ![Enable network protection in Intune](../images/enable-ep-intune.png)
6. Select **OK** to save each open blade, and then choose **Create**. @@ -249,7 +252,7 @@ This table lists the individual **Mitigations** (and **Audits**, when available) ```PowerShell Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll ``` -\[2\]: Audit for this mitigation is not available via Powershell cmdlets. +\[2\]: Audit for this mitigation is not available via PowerShell cmdlets. ## Customize the notification