deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #3051 from MicrosoftDocs/master

Browse Source 
Publish 4:00 PM 06/10/2020
This commit is contained in:
Gary Moore 2020-06-10 16:13:17 -07:00 committed by GitHub
commit 04a4c20992
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
33 changed files with 256 additions and 215 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
devices/hololens/change-history-hololens.md
View File

@ -17,6 +17,14 @@ ms.localizationpriority: medium
This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
## Windows 10 Holographic, version 2004
The topics in this library have been updated for Windows 10 Holographic, version 2004.
## HoloLens 2
The topics in this library have been updated for HoloLens 2 and Windows 10 Holographic, version 1903.
## April 2019
New or changed topic | Description

8
devices/hololens/holographic-photos-and-videos.md
View File

@ -44,7 +44,9 @@ To take a quick photo of your current view, press the volume up and volume down
### Voice commands to take photos
Cortana can also take a picture. Say: "Hey Cortana, take a picture."
On HoloLens 2, version 2004 (and later), say: "Take a picture."
On HoloLens (1st gen) or HoloLens 2, version 1903, say: "Hey Cortana, take a picture."
### Start menu to take photos
@ -67,7 +69,9 @@ The quickest way to record a video is to press and hold the **volume up** and **
### Voice to record videos
Cortana can also record a video. Say: "Hey Cortana, start recording." To stop a video, say "Hey Cortana, stop recording."
On HoloLens 2, version 2004 (and later), say: "Start recording." To stop recording, say "Stop recording."
On HoloLens (1st gen) or HoloLens 2, version 1903, say: "Hey Cortana, start recording." To stop recording, say "Hey Cortana, stop recording."
### Start menu to record videos

2
devices/hololens/hololens-multiple-users.md
View File

@ -37,7 +37,7 @@ To use HoloLens, each user follows these steps:
1. If another user has been using the device, do one of the following:
- Press the power button once to go to standby, and then press the power button again to return to the lock screen
- HoloLens 2 users may select the user tile on the top of the Pins panel to sign out the current user.
- HoloLens 2 users may select the user tile from the Start menu to sign out the current user.
1. Use your Azure AD account credentials to sign in to the device.
If this is the first time that you have used the device, you have to [calibrate](hololens-calibration.md) HoloLens to your own eyes.

3
devices/hololens/hololens1-upgrade-enterprise.md
View File

@ -16,6 +16,9 @@ appliesto:
# Unlock Windows Holographic for Business features
> [!IMPORTANT]
> This page only applies to HoloLens 1st Gen.
Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 that is designed for HoloLens), and in the [Commercial Suite](hololens-commercial-features.md), which provides extra features designed for business.
When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic for Business. You can apply this license to the device either by using the organization's [mobile device management (MDM) provider](#edition-upgrade-by-using-mdm) or a [provisioning package](#edition-upgrade-by-using-a-provisioning-package).

7
devices/hololens/hololens2-autopilot.md
View File

@ -71,10 +71,9 @@ Review the "[Requirements](https://docs.microsoft.com/windows/deployment/windows
Before you start the OOBE and provisioning process, make sure that the HoloLens devices meet the following requirements:
- The devices are not already members of Azure AD, and are not enrolled in Intune (or another MDM system). The Autopilot self-deploying process completes these steps. To make sure that all the device-related information is cleaned up, check the **Devices** pages in both Azure AD and Intune.
- Every device can connect to the internet. You can "USB C to Ethernet" adapters for wired internet connectivity or "USB C to Wifi" adapters for wireless internet connectivity.
- Every device can connect to a computer by using a USB-C cable, and that computer has the following available:
- Advanced Recovery Companion (ARC)
- The latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version)
- Every device can connect to the internet. You can use "USB C to Ethernet" adapters for wired internet connectivity or "USB C to Wifi" adapters for wireless internet connectivity.
- Every device can connect to a computer by using a USB-C cable, and that computer has [Advanced Recovery Companion (ARC)](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?rtc=1&activetab=pivot:overviewtab) installed
- Every device has the latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version.
To configure and manage the Autopilot self-deploying mode profiles, make sure that you have access to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).

23
devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md
View File

@ -97,6 +97,29 @@ To support Surface Laptop 3 with Intel Processor, import the following folders:
- SurfaceUpdate\SurfaceSerialHub
- SurfaceUpdate\SurfaceHotPlug
- SurfaceUpdate\Itouch
Importing the following folders will enable full keyboard, trackpad, and touch functionality in PE for Surface Laptop 3.
- IclSerialIOGPIO
- IclSerialIOI2C
- IclSerialIOSPI
- IclSerialIOUART
- itouch
- IclChipset
- IclChipsetLPSS
- IclChipsetNorthpeak
- ManagementEngine
- SurfaceAcpiNotify
- SurfaceBattery
- SurfaceDockIntegration
- SurfaceHidMini
- SurfaceHotPlug
- SurfaceIntegration
- SurfaceSerialHub
- SurfaceService
- SurfaceStorageFwUpdate
> [!NOTE]
> Check the downloaded MSI package to determine the format and directory structure. The directory structure will start with either SurfacePlatformInstaller (older MSI files) or SurfaceUpdate (Newer MSI files) depending on when the MSI was released.

2
devices/surface/secure-surface-dock-ports-semm.md
View File

@ -38,7 +38,7 @@ Restricting Surface Dock 2 to authorized persons signed into a corporate host de
This section provides step-by-step guidance for the following tasks:
1. Install [**Surface UEFI Configurator**](https://www.microsoft.com/en-us/download/details.aspx?id=46703).
1. Install [**Surface UEFI Configurator**](https://www.microsoft.com/download/details.aspx?id=46703).
1. Create or obtain public key certificates.
1. Create an .MSI configuration package.
1. Add your certificates.

48
devices/surface/surface-book-quadro.md
View File

@ -15,29 +15,29 @@ audience: itpro
---
# Surface Book 3 Quadro RTX 3000 technical overview
Surface Book 3 for Business powered by the NVIDIA® Quadro RTX™ 3000 GPU is built for professionals who need real-time rendering, AI acceleration, advanced graphics, and compute performance in a portable form factor. Quadro RTX 3000 fundamentally changes what you can do with the new Surface Book 3:
- **Ray Tracing** - Produce stunning renders, designs and animations faster than ever before with 30 RT Cores for hardware-accelerated ray tracing.
- **Ray Tracing** - Produce stunning renders, designs and animations faster than ever before with 30 RT Cores for hardware-accelerated ray tracing.
- **Artificial Intelligence** - Remove redundant, tedious tasks and compute intensive work with 240 Tensor Cores for GPU-accelerated AI.
- **Advanced Graphics and Compute Technology** - Experience remarkable speed and interactivity during your most taxing graphics and compute workloads with 1,920 CUDA Cores and 6GB of GDDR6 memory.
## Enterprise grade solution
Of paramount importance to commercial customers, Quadro RTX 3000 brings a fully professional grade solution that combines accelerated ray tracing and deep learning capabilities with an integrated enterprise level management and support solution. Quadro drivers are tested and certified for more than 100 professional applications by leading ISVs providing an additional layer of quality assurance to validate stability, reliability, and performance.
Of paramount importance to commercial customers, Quadro RTX 3000 brings a fully professional-grade solution that combines accelerated ray tracing and deep learning capabilities with an integrated enterprise level management and support solution. Quadro drivers are tested and certified for more than 100 professional applications by leading ISVs, providing an additional layer of quality assurance to validate stability, reliability, and performance.
Quadro includes dedicated enterprise tools for remote management of Surface Book 3 devices with Quadro RTX 3000. IT admins can remotely configure graphics systems, save/restore configurations, continuously monitor graphics systems and perform remote troubleshooting if necessary. These capabilities along with deployment tools help maximize uptime and minimize IT support requirements.
Quadro includes dedicated enterprise tools for remote management of Surface Book 3 devices with Quadro RTX 3000. IT admins can remotely configure graphics systems, save/restore configurations, continuously monitor graphics systems, and perform remote troubleshooting if necessary. These capabilities along with deployment tools help maximize uptime and minimize IT support requirements.
NVIDIA develops and maintains Quadro Optimal Drivers for Enterprise (ODE) that are tuned, tested, and validated to provide enterprise level stability, reliability, availability, and support with extended product availability. Each driver release involves more than 2,000 man days of testing with professional applications test suites and test cases, as well as WHQL certification. Security threats are continually monitored, and regular security updates are released to protect against newly discovered vulnerabilities. In addition, Quadro drivers undergo an additional layer of testing by Surface engineering prior to release via Windows Update.
NVIDIA develops and maintains Quadro Optimal Drivers for Enterprise (ODE) that are tuned, tested, and validated to provide enterprise level stability, reliability, availability, and support with extended product availability. Each driver release involves more than 2,000 man-days of testing with professional applications test suites and test cases, as well as WHQL certification. Security threats are continually monitored, and regular security updates are released to protect against newly discovered vulnerabilities. In addition, Quadro drivers undergo an additional layer of testing by Surface engineering prior to release via Windows Update.
## Built for compute-intensive workloads
Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, enabling advanced professionals to work from anywhere.
The Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, enabling advanced professionals to work from anywhere.
- **Creative professionals such as designers and animators.** Quadro RTX enables real-time cinematic-quality rendering through Turing-optimized ray tracing APIs such as NVIDIA OptiX, Microsoft DXR, and Vulkan.
- **Architects and engineers using large, complex computer aided design (CAD) models and assemblies.** The RTX platform features the new NGX SDK to infuse powerful AI-enhanced capabilities into visual applications. This frees up time and resources through intelligent manipulation of images, automation of repetitive tasks, and optimization of compute-intensive processes.
- **Software developers across manufacturing, media & entertainment, medical, and other industries.** Quadro RTX speeds application development with ray tracing, deep learning, and rasterization capabilities through industry-leading software SDKs and APIs.
- **Software developers across manufacturing, media and entertainment, medical, and other industries.** Quadro RTX speeds application development with ray tracing, deep learning, and rasterization capabilities through industry-leading software SDKs and APIs.
- **Data scientists using Tensor Cores and CUDA cores to accelerate computationally intensive tasks and other deep learning operations.** By using sensors, increased connectivity, and deep learning, researchers and developers can enable AI applications for everything from autonomous vehicles to scientific research.
@ -45,14 +45,14 @@ Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of an
| **Component** | **Description** |
| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| RT cores | Dedicated hardware-based ray-tracing technology allows the GPU to render film quality, photorealistic objects and environments with physically accurate shadows, reflections, and refractions. The real-time ray-tracing engine works with NVIDIA OptiX, Microsoft DXR, and Vulkan APIs to deliver a level of realism far beyond what is possible using traditional rendering techniques. RT cores accelerate the Bounding Volume Hierarchy (BVH) traversal and ray casting functions using low number of rays casted through a pixel. |
| Enhanced tensor cores | Mixed-precision cores purpose-built for deep learning matrix arithmetic, deliver 8x TFLOPS for training compared with previous generation. Quadro RTX 3000 utilizes 240 Tensor Cores; each Tensor Core performs 64 floating point fused multiply-add (FMA) operations per clock, and each streaming multiprocessor (SM) performs a total of 1,024 individual floating-point operations per clock. In addition to supporting FP16/FP32 matrix operations, new Tensor Cores added INT8 (2,048 integer operations per clock) and experimental INT4 and INT1 (binary) precision modes for matrix operations. |
| RT cores | Dedicated hardware-based ray-tracing technology allows the GPU to render film quality, photorealistic objects and environments with physically accurate shadows, reflections, and refractions. The real-time ray-tracing engine works with NVIDIA OptiX, Microsoft DXR, and Vulkan APIs to deliver a level of realism far beyond what is possible using traditional rendering techniques. RT cores accelerate the Bounding Volume Hierarchy (BVH) traversal and ray casting functions using low number of rays casted through a pixel. |
| Enhanced tensor cores | Mixed-precision cores purpose-built for deep learning matrix arithmetic, deliver 8x TFLOPS for training compared with previous generation. Quadro RTX 3000 utilizes 240 Tensor Cores; each Tensor Core performs 64 floating point fused multiply-add (FMA) operations per clock, and each streaming multiprocessor (SM) performs a total of 1,024 individual floating-point operations per clock. In addition to supporting FP16/FP32 matrix operations, new Tensor Cores added INT8 (2,048 integer operations per clock) and experimental INT4 and INT1 (binary) precision modes for matrix operations. |
| Turing optimized software | Deep learning frameworks such as the Microsoft Cognitive Toolkit (CNTK), Caffe2, MXNet, TensorFlow, and others deliver significantly faster training times and higher multi-node training performance. GPU accelerated libraries such as cuDNN, cuBLAS, and TensorRT deliver higher performance for both deep learning inference and High-Performance Computing (HPC) applications. |
| NVIDIA CUDA parallel computing platform | Natively execute standard programming languages like C/C++ and Fortran, and APIs such as OpenCL, OpenACC and Direct Compute to accelerate techniques such as ray tracing, video and image processing, and computation fluid dynamics. |
| Advanced streaming multiprocessor (SM) architecture | Combined shared memory and L1 cache improve performance significantly, while simplifying programming and reducing the tuning required to attain best application performance. |
| High performance GDDR6 Memory | Quadro RTX 3000 features 6GB of frame buffer making it the ideal platform for handling large datasets and latency-sensitive applications. |
| Advanced streaming multiprocessor (SM) architecture | Combined shared memory and L1 cache improve performance significantly, while simplifying programming and reducing the tuning required to attain the best application performance. |
| High performance GDDR6 Memory | Quadro RTX 3000 features 6GB of frame buffer, making it the ideal platform for handling large datasets and latency-sensitive applications. |
| Single instruction, multiple thread (SIMT) | New independent thread scheduling capability enables finer-grain synchronization and cooperation between parallel threads by sharing resources among small jobs. |
| Mixed-precision computing | 16-bit floating-point precision computing enables the training and deployment of larger neural networks. With independent parallel integer and floating-point data paths, the Turing SM handles workloads more efficiently using a mix of computation and addressing calculations. |
| Mixed-precision computing | 16-bit floating-point precision computing enables the training and deployment of larger neural networks. With independent parallel integer and floating-point data paths, the Turing SM handles workloads more efficiently using a mix of computation and addressing calculations. |
| Dynamic load balancing | Provides dynamic allocation capabilities of GPU resources for graphics and compute tasks as needed to maximize resource utilization. |
| Compute preemption | Preemption at the instruction-level provides finer grain control over compute tasks to prevent long-running applications from either monopolizing system resources or timing out. |
| H.264, H.265 and HEVC encode/decode engines | Enables faster than real-time performance for transcoding, video editing, and other encoding applications with two dedicated H.264 and HEVC encode engines and a dedicated decode engine that are independent of 3D/compute pipeline. |
@ -86,7 +86,7 @@ Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of an
## App acceleration
The following table shows how Quadro RTX 3000 provides significantly faster acceleration across leading professional applications. It includes SPECview perf 13 benchmark test results comparing Surface Book 3 15-inch with NVIDIA Quadro RTX 3000 versus Surface Book 2 15-inch with NVIDIA GeForce GTX 1060 devices in market March 2020.
The following table shows how Quadro RTX 3000 provides significantly faster acceleration across leading professional applications. It includes SPECview perf 13 benchmark test results comparing the Surface Book 3 15-inch with NVIDIA Quadro RTX 3000 versus the Surface Book 2 15-inch with NVIDIA GeForce GTX 1060 devices in the market as of March 2020.
**Table 3. App acceleration on Surface Book 3 with Quadro RTX 3000**
@ -95,23 +95,23 @@ The following table shows how Quadro RTX 3000 provides significantly faster acce
| Adobe Dimension | - RTX-accelerated ray tracing delivers photorealistic 3D rendering to 2D artists and designers. |
| Adobe Substance Alchemist | - Create and blend materials with ease, featuring RTX-accelerated AI. |
| Adobe Substance Painter | - Paint materials onto 3d models, featuring RTX accelerated bakers, and Iray RTX rendering which generates photorealistic imagery for interactive and batch rendering workflows. <br> |
| Adobe Substance Designer | - Author procedural materials featuring RTX accelerated bakers<br>- Uses NVIDIA Iray rendering including textures/substances and bitmap texture export to render in any Iray powered compatible with MDL.<br>- DXR-accelerated light and ambient occlusion baking. |
| Adobe Photoshop | - CUDA core acceleration enables faster editing with 30+ GPU-accelerated features such as blur gallery, liquify, smart sharpen, & perspective warp enable photographers and designers to modify images smoothly and quickly. |
| Adobe Substance Designer | - Author procedural materials featuring RTX accelerated bakers<br>- Uses NVIDIA Iray rendering including textures/substances and bitmap texture export to render in any Iray that is compatible with MDL.<br>- DXR-accelerated light and ambient occlusion baking. |
| Adobe Photoshop | - CUDA core acceleration enables faster editing with 30+ GPU-accelerated features such as blur gallery, liquify, smart sharpen, and perspective warp enable photographers and designers to modify images smoothly and quickly. |
| Adobe Lightroom | - Faster editing high res images with GPU-accelerated viewport, which enables the modeling of larger 3D scenes, and the rigging of more complex animations.<br>- GPU-accelerated image processing enables dramatically more responsive adjustments, especially on 4K or higher resolution displays.<br>- GPU-accelerated AI-powered “Enhance Details” for refining fine color detail of RAW images. |
| Adobe Illustrator | - Pan and zoom with GPU-accelerated canvas faster, which enables graphic designers and illustrators to pan across and zoom in and out of complex vector graphics smoothly and interactively. |
| Adobe<br>Premiere Pro | - Significantly faster editing and rendering video with GPU-accelerated effects vs CPU:<br>- GPU-accelerated effects with NVIDIA CUDA technology for real-time video editing and faster final frame rendering.<br>- GPU-accelerated AI Auto Reframe feature for intelligently converting landscape video to dynamically tracked portrait or square video. |
| Adobe<br>Premiere Pro | - Significantly faster editing and rendering video with GPU-accelerated effects vs CPU.<br>- GPU-accelerated effects with NVIDIA CUDA technology for real-time video editing and faster final frame rendering.<br>- GPU-accelerated AI Auto Reframe feature for intelligently converting landscape video to dynamically tracked portrait or square video. |
| Autodesk<br>Revit | - GPU-accelerated viewport for a smoother, more interactive design experience.<br>- Supports 3rd party GPU-accelerated 3D renderers such as V-Ray and Enscape. |
| Autodesk<br>3ds Max | - GPU-accelerated viewport graphics for fast, interactive 3D modelling and design.<br>- RTX-accelerated ray tracing and AI denoising ****with the default Arnold renderer.<br>- More than 70 percent faster compared with Surface Book 2 15”. |
| Autodesk<br>3ds Max | - GPU-accelerated viewport graphics for fast, interactive 3D modelling and design.<br>- RTX-accelerated ray tracing and AI denoising with the default Arnold renderer.<br>- More than 70 percent faster compared with Surface Book 2 15”. |
| Autodesk<br>Maya | - RTX-accelerated ray tracing and AI denoising with the default Arnold renderer.<br>- OpenGL Viewport Acceleration. |
| Dassault Systemes<br>Solidworks | - Solidworks Interactive Ray Tracer (Visualize) accelerated by both RT Cores and Tensor Cores; AI-accelerated denoiser.<br>- Runs more than 50% faster compared with Surface Book 2 15” |
| Dassault Systemes<br>3D Experience Platform | - CATIA Interactive Ray Tracer (Live Rendering) accelerated by RT Cores.<br>- Catia runs more than 100% faster compared with Surface Book 2 15. |
| ImageVis3D | - Runs more than 2x faster compared with Surface Book 2 15”.. |
| Dassault Systemes<br>Solidworks | - Solidworks Interactive Ray Tracer (Visualize) accelerated by both RT Cores and Tensor Cores; AI-accelerated denoiser.<br>- Runs more than 50% faster compared with Surface Book 2 15”. |
| Dassault Systemes<br>3D Experience Platform | - CATIA Interactive Ray Tracer (Live Rendering) accelerated by RT Cores.<br>- Catia runs more than 100% faster compared with Surface Book 2 15". |
| ImageVis3D | - Runs more than 2x faster compared with Surface Book 2 15”. |
| McNeel & Associates<br>Rhino 3D | - GPU-accelerated viewport for a smooth and interactive modelling and design experience.<br>- Supports Cycles for GPU-accelerated 3D rendering. |
| Siemens NX | - Siemens NX Interactive Ray Tracer (Ray Traced Studio) accelerated by RT Cores.<br>- Runs more than 10 x faster compared with Surface Book 2 15”.. |
| Esri ArcGIS | - Real-time results from what took days & weeks, due to DL inferencing leveraging tensor cores. |
| Siemens NX | - Siemens NX Interactive Ray Tracer (Ray Traced Studio) accelerated by RT Cores.<br>- Runs more than 10x faster compared with Surface Book 2 15”. |
| Esri ArcGIS | - Real-time results from what took days and weeks, due to DL inferencing leveraging tensor cores. |
| PTC Creo | - Creo's real-time engineering simulation tool (Creo Simulation Live) built on CUDA.<br>- Runs more than 15% faster compared with Surface Book 2 15”. |
| Luxion KeyShot | - 3rd party Interactive Ray Tracer used by Solidworks, Creo, and Rhino. Accelerated by RT Cores, OptiX™ AI-accelerated denoising. |
| ANSYS<br>Discovery Live | - ANSYS real-time engineering simulation tool (ANSYS Discovery Live) built on CUDA |
| ANSYS<br>Discovery Live | - ANSYS real-time engineering simulation tool (ANSYS Discovery Live) built on CUDA. |
## SKUs
**Table 4. Surface Book 3 with Quadro RTX 3000 SKUs**
@ -123,7 +123,7 @@ The following table shows how Quadro RTX 3000 provides significantly faster acce
## Summary
Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance on any Surface laptop, providing architects, engineers, developers, and data scientists with the tools they need to work efficiently from anywhere:
The Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, providing architects, engineers, developers, and data scientists with the tools they need to work efficiently from anywhere:
- RTX-acceleration across multiple workflows like design, animation, video production, and more.
- Desktop-grade performance in a mobile form factor.

9
devices/surface/surface-enterprise-management-mode.md
View File

@ -32,6 +32,9 @@ There are two administrative options you can use to manage SEMM and enrolled Sur
The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied.
>[!NOTE]
>You can now use Surface UEFI Configurator and SEMM to manage ports on Surface Dock 2. To learn more, see [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md).
![Microsoft Surface UEFI Configurator](images/surface-ent-mgmt-fig1-uefi-configurator.png "Microsoft Surface UEFI Configurator")
*Figure 1. Microsoft Surface UEFI Configurator*
@ -282,6 +285,6 @@ This version of SEMM includes:
## Related topics
[Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
[Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
- [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
- [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
- [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md)

89
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -20,40 +20,45 @@ ms.topic: article
**Applies to**
- Windows 10
- Windows 10
From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup).
From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup).
![Remote Desktop Connection client](images/rdp.png)
>[!TIP]
>Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session.](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics)
> [!TIP]
> Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session.](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics)
## Set up
- Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined. Remote connection to an Azure AD joined PC from an unjoined device or a non-Windows 10 device is not supported.
Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC.
- On the PC that you want to connect to:
1. Open system properties for the remote PC.
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported.
- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined. Remote connections to an Azure AD joined PC from an unjoined device or a non-Windows 10 device are not supported.
![Allow remote connections to this computer](images/allow-rdp.png)
Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC.
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**.
>[!NOTE]
>You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet:
>
>`net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD.
>
> This command only works for AADJ device users already added to any of the local groups (administrators).
> Otherwise this command throws the below error. For example: </br>
> for cloud only user: "There is no such global user or group : *name*" </br>
> for synced user: "There is no such global user or group : *name*" </br>
>
>In Windows 10, version 1709, the user does not have to sign in to the remote device first.
>
>In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
- On the PC you want to connect to:
1. Open system properties for the remote PC.
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
![Allow remote connections to this computer](images/allow-rdp.png)
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**.
> [!NOTE]
> You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once, and then running the following PowerShell cmdlet:
> ```PowerShell
> net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"
> ```
> where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
>
> This command only works for AADJ device users already added to any of the local groups (administrators).
> Otherwise this command throws the below error. For example:
> - for cloud only user: "There is no such global user or group : *name*"
> - for synced user: "There is no such global user or group : *name*" </br>
>
> In Windows 10, version 1709, the user does not have to sign in to the remote device first.
>
> In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
@ -61,33 +66,32 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
> When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant.
> [!Note]
> If you cannot connect using Remote Desktop Connection 6.0, then you must turn off new features of RDP 6.0 and revert back to RDP 5.0 by changing a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e).
> If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e).
## Supported configurations
In organizations that have integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC using:
In organizations using integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC by using any of the following:
- Password
- Smartcards
- Windows Hello for Business, if the domain is managed by Microsoft Endpoint Configuration Manager
- Windows Hello for Business, if the domain is managed by Microsoft Endpoint Configuration Manager.
In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network using:
In organizations using integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network by using any of the following:
- Password
- Smartcards
- Windows Hello for Business, if the organization has a mobile device management (MDM) subscription.
- Windows Hello for Business, if the organization has a mobile device management (MDM) subscription.
In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
In organizations using integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC by using any of the following:
- Password
- Smartcards
- Windows Hello for Business, with or without an MDM subscription.
- Windows Hello for Business, with or without an MDM subscription.
In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC by using any of the following:
- Password
- Windows Hello for Business, with or without an MDM subscription.
- Windows Hello for Business, with or without an MDM subscription.
> [!NOTE]
> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
@ -96,14 +100,3 @@ In organizations using only Azure AD, you can connect from an Azure AD-joined PC
[How to use Remote Desktop](https://support.microsoft.com/instantanswers/ff521c86-2803-4bc0-a5da-7df445788eb9/how-to-use-remote-desktop)

2
windows/client-management/mandatory-user-profile.md
View File

@ -38,7 +38,7 @@ The name of the folder in which you store the mandatory profile must use the cor
| Windows 8 | Windows Server 2012 | v3 |
| Windows 8.1 | Windows Server 2012 R2 | v4 |
| Windows 10, versions 1507 and 1511 | N/A | v5 |
| Windows 10, versions 1607, 1703, 1709, 1803, 1809 and 1903 | Windows Server 2016 and Windows Server 2019 | v6 |
| Windows 10, versions 1607, 1703, 1709, 1803, 1809, 1903 and 1909 | Windows Server 2016 and Windows Server 2019 | v6 |
For more information, see [Deploy Roaming User Profiles, Appendix B](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).

2
windows/client-management/mdm/policy-csp-dmaguard.md
View File

@ -73,7 +73,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing.
This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with [DMA Remapping](https://docs.microsoft.com/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers)/device memory isolation and sandboxing.
Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.

2
windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
View File

@ -299,7 +299,7 @@ This example configures the same as example 2 using compounding And elements. T
#### Example 4
This example configures Wi-Fi as a trusted signal (Windows 10, version 1803)
```
<rule version="1.0">
<rule schemaVersion="1.0">
<signal type="wifi">
<ssid>contoso</ssid>
<bssid>12-ab-34-ff-e5-46</bssid>

7
windows/security/information-protection/windows-information-protection/limitations-with-wip.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
@ -131,6 +131,11 @@ This table provides info about the most common problems you might encounter whil
</td>
<td>If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
</td>
</tr>
<tr>
<td>By design, OneNote only supports WIP protected notebooks stored on enterprise-managed SharePoint (OneDrive for Business). Onenote does not support local WIP protected notebooks.</td>
<td>OneNote might encounter an error such as "This notebook contains protected content from your organization, which can't be viewed or synced. Please change the file ownership to Personal, or contact your IT administrator." Supported notebooks (OneDrive for Business) should be shown in File Explorer as links and open with your associated browser. Unsupported notebooks would show as folders or .one files (with a OneNote icon)</td>
<td>If unsupported files won't open in the browser, then they are 'stuck' in the old local format - incompatible with WIP or viewing online. We recommend that you create a new notebook and copy the contents from the existing notebook into the new one. In OneNote desktop, File > New > OnedDive - company name notebook and create a new one. Then within OneNote, copy over the old 'local' sections into this new notebook to ensure they get upgraded to the modern format. Hold Ctrl + drag and drop the sections into the notebook. Holding Ctrl will copy sections rather than move them, preserving the old sections as backup copies. Wait for the new notebook to finish syncing to OneDrive for business.</td>
</tr>
<tr>
<td>Microsoft Office Outlook offline data files (PST and OST files) are not marked as <strong>Work</strong> files, and are therefore not protected.

20
windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
View File

@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 02/05/2020
ms.date: 06/08/2020
ms.reviewer: shwetaj
manager: dansimp
audience: ITPro
@ -25,17 +25,17 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware and spyware across email, apps, the cloud, and the web.
Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.
But what if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these things. You can:
- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis);
- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring); or
- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned) by Microsoft Defender Antivirus.
What if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these issues. You can:
- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis)
- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring)
- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned)
## Submit a file to Microsoft for analysis
1. Review the [submission guidelines](../intelligence/submission-guide.md).
2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission).
2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission).
> [!TIP]
> We recommend signing in at the submission portal so you can track the results of your submissions.
@ -48,7 +48,7 @@ To set up your "Allow" indicator, follow the guidance in [Manage indicators](htt
## Define an exclusion on an individual Windows device to prevent an item from being scanned
When you define an exclusion for Microsoft Defender Antivirus, you configure your antivirus to skip that item.
When you define an exclusion for Microsoft Defender Antivirus, you configure your antivirus to skip that item.
1. On your Windows 10 device, open the Windows Security app.
2. Select **Virus & threat protection** > **Virus & threat protection settings**.
@ -64,8 +64,8 @@ The following table summarizes exclusion types, how they're defined, and what ha
|**File type** |File extension <br/>Example: `.test` |All files with the specified extension anywhere on your device are skipped by Microsoft Defender Antivirus. |
|**Process** |Executable file path <br>Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. |
To learn more, see:
- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus)
To learn more, see:
- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus)
- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus)
## Related articles

22
windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
View File

@ -43,11 +43,11 @@ A specific process | The executable file `c:\test\process.exe` | File and folder
Exclusion lists have the following characteristics:
- Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
- File extensions will apply to any file name with the defined extension if a path or folder is not defined.
- Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
- File extensions apply to any file name with the defined extension if a path or folder is not defined.
>[!IMPORTANT]
>The use of wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
>Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
>
>You cannot exclude mapped network drives. You must specify the actual network path.
>
@ -62,7 +62,7 @@ The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-def
>
>Changes made in the Windows Security app **will not show** in the Group Policy lists.
By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence when there are conflicts.
By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts.
You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
@ -91,10 +91,10 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
- Specify each folder on its own line under the **Value name** column.
- If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
@ -178,14 +178,14 @@ You can use the asterisk `*`, question mark `?`, or environment variables (such
>
>- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
>- You cannot use a wildcard in place of a drive letter.
>- An asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
>- An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
The following table describes how the wildcards can be used and provides some examples.
|Wildcard |Examples |
|---------|---------|
|`*` (asterisk) <br/><br/>In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple, nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`<br/><br/>`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders` <br/><br/>`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` |
|`*` (asterisk) <br/><br/>In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`<br/><br/>`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders` <br/><br/>`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` |
|`?` (question mark) <br/><br/>In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my` would include `C:\MyData\my1.zip` <br/><br/>`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders <br/><br/>`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
|Environment variables <br/><br/>The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` |
@ -215,7 +215,7 @@ You can retrieve the items in the exclusion list using one of the following meth
If you use PowerShell, you can retrieve the list in two ways:
- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists are displayed on separate lines, but the items within each list are combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
### Validate the exclusion list by using MpCmdRun
@ -271,7 +271,7 @@ In the following PowerShell snippet, replace *test.txt* with a file that conform
Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
```
If Microsoft Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html).
If Microsoft Defender Antivirus reports malware, then the rule is not working. If there is no report of malware and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html).
You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating:

31
windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
View File

@ -25,9 +25,9 @@ ms.custom: nextgen
## Overview
During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring.
During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring.
With tamper protection, malicious apps are prevented from taking actions like these:
With tamper protection, malicious apps are prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
@ -37,11 +37,10 @@ With tamper protection, malicious apps are prevented from taking actions like th
### How it works
Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods like these:
Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as:
- Configuring settings in Registry Editor on your Windows machine
- Changing settings through PowerShell cmdlets
- Editing or removing security settings through group policies
- and so on.
Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; this is managed by your security team.
@ -80,22 +79,22 @@ Here's what you see in the Windows Security app:
## Turn tamper protection on (or off) for your organization using Intune
If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal ([https://aka.ms/intuneportal](https://aka.ms/intuneportal)).
If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal ([https://aka.ms/intuneportal](https://aka.ms/intuneportal)).
> [!NOTE]
> The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below.
> The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below.
You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune:
- Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
- Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.)
- Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.)
- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
- Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account.
2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account.
3. Select **Device configuration** > **Profiles**.
@ -113,9 +112,9 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
5. Assign the profile to one or more groups.
Here's what you see in the Windows Security app:
Here's what you see in the Windows Security app:
![Turning tamper protection on in Windows 10 Enterprise](images/turnontamperprotect-enterprise.png)
![Turning tamper protection on in Windows 10 Enterprise](images/turnontamperprotect-enterprise.png)
### Are you using Windows OS 1709, 1803, or 1809?
@ -131,17 +130,17 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release
## View information about tampering attempts
Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
![Microsoft Defender Security Center](images/tamperattemptalert.png)
Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts.
Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts.
## Review your security recommendations
Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image:
Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image:
![Tamper protection results in security recommendations](../images/securityrecs-tamperprotect.jpg)
@ -216,7 +215,7 @@ In this case, tamper protection status changes, and this feature is no longer ap
### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center?
Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**.
Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**.
In addition, your security operations team can use hunting queries, such as the following:

1
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
View File

@ -91,7 +91,6 @@ Yes, both the Enterprise Resource domains hosted in the cloud and the Domains ca
### Why does my encryption driver break Microsoft Defender Application Guard?
Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT").
### Why do the Network Isolation policies in Group Policy and CSP look different?

52
windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
View File

@ -21,61 +21,61 @@ ms.topic: article
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional Cyber defenders, forces SOC to work in the most efficient way and automation is a must. MS flow supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within few minutes.
Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional cyber defenders forces SOC to work in the most efficient way and automation is a must. Microsoft Power Automate supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within a few minutes.
Microsoft Defender API has an official Flow Connector with a lot of capabilities:
Microsoft Defender API has an official Flow Connector with many capabilities.
![Image of edit credentials](images/api-flow-0.png)
## Usage example
The following example demonstrates how you can create a Flow that will be triggered any time a new Alert occurs on your tenant.
The following example demonstrates how to create a Flow that is triggered any time a new Alert occurs on your tenant.
- Login to [Microsoft Flow](https://flow.microsoft.com)
1. Log in to [Microsoft Power Automate](https://flow.microsoft.com).
- Go to: My flows > New > Automated
2. Go to **My flows** > **New** > **Automated-from blank**.
![Image of edit credentials](images/api-flow-1.png)
![Image of edit credentials](images/api-flow-1.png)
- Choose a name for your Flow, Search for **Microsoft Defender ATP Triggers** as the trigger and choose the new Alerts trigger.
3. Choose a name for your Flow, search for "Microsoft Defender ATP Triggers" as the trigger, and then select the new Alerts trigger.
![Image of edit credentials](images/api-flow-2.png)
![Image of edit credentials](images/api-flow-2.png)
- Now you have a Flow that is triggered every time a new Alert occurs.
Now you have a Flow that is triggered every time a new Alert occurs.
![Image of edit credentials](images/api-flow-3.png)
All you need to do now, is to choose your next steps.
Lets, for example, Isolate the machine if the Severity of the Alert is **High** and mail about it.
The Alert trigger gives us only the Alert ID and the Machine ID. We can use the Connector to expand these entities.
All you need to do now is choose your next steps.
For example, you can isolate the machine if the Severity of the Alert is High and send an email about it.
The Alert trigger provides only the Alert ID and the Machine ID. You can use the connector to expand these entities.
### Get the Alert entity using the connector
### Get the Alert entity using the connector
- Choose Microsoft Defender ATP for new step.
1. Choose **Microsoft Defender ATP** for the new step.
- Choose Alerts - Get single alert API.
2. Choose **Alerts - Get single alert API**.
- Set the Alert Id from the last step as Input.
3. Set the **Alert ID** from the last step as **Input**.
![Image of edit credentials](images/api-flow-4.png)
![Image of edit credentials](images/api-flow-4.png)
### Isolate the machine if the Alert's severity is High
- Add **Condition** as a new step .
1. Add **Condition** as a new step.
- Check if Alert severity equals to **High**.
2. Check if the Alert severity **is equal to** High.
- If yes, add Microsoft Defender ATP - Isolate machine action with the Machine Id and a comment.
If yes, add the **Microsoft Defender ATP - Isolate machine** action with the Machine ID and a comment.
![Image of edit credentials](images/api-flow-5.png)
![Image of edit credentials](images/api-flow-5.png)
Now you can add a new step for mailing about the Alert and the Isolation.
There are multiple Email connectors that are very easy to use, e.g. Outlook, GMail, etc..
Save your flow and that's all.
3. Add a new step for emailing about the Alert and the Isolation. There are multiple email connectors that are very easy to use, such as Outlook or Gmail.
- You can also create **scheduled** flow that will run Advanced Hunting queries and much more!
4. Save your flow.
You can also create a **scheduled** flow that runs Advanced Hunting queries and much more!
## Related topic
- [Microsoft Defender ATP APIs](apis-intro.md)

2
windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
View File

@ -100,4 +100,4 @@ Machine configuration management monitors baseline compliance only of Windows 10
## Related topics
- [Ensure your machines are configured properly](configure-machines.md)
- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
- [Optimize ASR rule deployment and detections](configure-machines-asr.md)
- [Optimize ASR rule deployment and detections](configure-machines-asr.md)

6
windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
View File

@ -12,7 +12,7 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/29/2020
ms.date: 06/04/2020
ms.reviewer:
manager: dansimp
---
@ -201,7 +201,3 @@ Example:
- [Attack surface reduction FAQ](attack-surface-reduction.md)
* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
* [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
* [Attack surface reduction FAQ](attack-surface-reduction.md)
* [Enable cloud-delivered protection](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)

5
windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
View File

@ -49,9 +49,8 @@ To have your company listed as a partner in the in-product partner page, you wil
6. We'd like to request that you include the User-Agent field in each API call made to Microsoft Defender ATP public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA).
Follow these steps:
1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender ATP integrated product with the version of the product that includes this integration.
- ISV Nomenclature: `MdatpPartner-{CompanyName}-{TenantID}/{Version}`.
- Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}`.
- ISV Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}`
- Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{TenantID}`
2. Set the User-Agent field in each HTTP request header to the name based on the above nomenclature.
For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0`

1
windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
View File

@ -87,6 +87,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`|
|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` |
|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`|
|Configuration|Turn on/off passiveMode |`mdatp --config passiveMode [on/off]` |
|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` |
|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` |
|Health |Check the product's health |`mdatp --health` |

4
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
View File

@ -1,6 +1,6 @@
---
title: Microsoft Defender Advanced Threat Protection
description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is an enterprise security platform that helps defend against advanced persistent threats.
description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is an enterprise endpoint security platform that helps defend against advanced persistent threats.
keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -23,7 +23,7 @@ ms.topic: conceptual
>
> For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
Microsoft Defender Advanced Threat Protection is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
<p></p>
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4wDob]

14
windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
View File

@ -40,15 +40,23 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
- Microsoft 365 E5 Security
- Microsoft 365 A5 (M365 A5)
> [!NOTE]
> Eligible Licensed Users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices.
Microsoft Defender Advanced Threat Protection, on Windows Server, requires one of the following licensing options:
- [Azure Security Center Standard plan](https://docs.microsoft.com/azure/security-center/security-center-pricing) (per node)
- Microsoft Defender ATP for Servers (one per covered Server)
> [!NOTE]
> Customers with a combined minimum of 50 licenses for one or more of the following may acquire Server SLs for Microsoft Defender Advanced Threat Protection for Servers (one per covered Server OSE): Microsoft Defender Advanced Threat Protection, Windows E5/A5, Microsoft 365 E5/A5 and Microsoft 365 E5 Security User SLs. This license applies to Microsoft Defender ATP for Linux.
For detailed licensing information, see the [Product terms page](https://www.microsoft.com/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product.
For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).
For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://go.microsoft.com/fwlink/p/?linkid=2069559).
For more information about licensing requirements for Microsoft Defender ATP platform on Windows Server, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114).
## Browser requirements
Access to Microsoft Defender ATP is done through a browser, supporting the following browsers:
- Microsoft Edge

21
windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
View File

@ -49,26 +49,7 @@ You can remediate the issues based on prioritized [security recommendations](tvm
## Reduce your threat and vulnerability exposure
To lower your threat and vulnerability exposure, follow these steps.
1. Review the **Top security recommendations** from your [**Threat & Vulnerability Management dashboard**](tvm-dashboard-insights.md) and select an item on the list.
![Example of Top security recommendations card, with four security recommendations.](images/top-security-recommendations350.png)
Always prioritize recommendations that are associated with ongoing threats:
- ![Red bug](images/tvm_bug_icon.png) Threat insight icon
- ![Arrow hitting a target](images/tvm_alert_icon.png) Active alert icon
2. The **Security recommendations** page will open, and a flyout for the recommendation you selected will open. The flyout panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Select **Open software page** option from the flyout panel. ![Example of security recommendations page with the flyout "Update Windows Server 2019" open.](images/tvm_security_recommendations_page.png)
3. Select **Installed machines** and then the affected machine from the list. A flyout panel will open with the relevant machine details, exposure and risk levels, alert and incident activities. ![Example of the software page for Git, and a flyout open for a selected machine.](images/tvm_software_page_details.png)
4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. ![Example of a machine page.](images/tvm_machine_page_details.png)
5. Allow a few hours for the changes to propagate in the system.
6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
Lower your threat and vulnerability exposure by remediating [security recommendations](tvm-security-recommendation.md). Make the most impact to your exposure score by remediating the top security recommendations, which can be viewed in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md).
## Related topics

2
windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
View File

@ -85,7 +85,7 @@ Select the security recommendation that you want to investigate or process.
From the flyout, you can do any of the following:
- **Open software page** - Open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-support, and charts of the exposure trend over time.
- **Open software page** - Open the software page to get more context on the software and how it is distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution.
- **Remediation options** - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.

4
windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
View File

@ -58,7 +58,7 @@ Once you are in the Software inventory page and have opened the flyout panel by
## Software evidence
We now show evidence of where we detected a specific software on a machine from the registry, disk or both machine on where we detected a certain software.
We now show evidence of where we detected a specific software on a machine from the registry, disk or both.
You can find it on any machines found in the [machines list](machines-view-overview.md) in a section called "Software Evidence."
From the Microsoft Defender Security Center navigation panel, go to **Machines list** > select the name of a machine to open the machine page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence.
@ -86,4 +86,4 @@ You can report a false positive when you see any vague, inaccurate version, inco
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

1
windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
View File

@ -22,6 +22,7 @@ ms.author: dansimp
- Windows 10, version 1507 with [KB 4012606](https://support.microsoft.com/help/4012606) installed
- Windows 8.1 with [KB 4102219](https://support.microsoft.com/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed
- Windows 7 with [KB 4012218](https://support.microsoft.com/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2 with[KB 4012219](https://support.microsoft.com/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed
- Windows Server 2012 with [KB 4012220](https://support.microsoft.com/help/4012220/march-2017-preview-of-monthly-quality-rollup-for-windows-server-2012) installed

6
windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
View File

@ -43,7 +43,7 @@ Misuse of this policy setting is a common error that can cause data loss or prob
### Best practices
- Set **Domain controller: LDAP server signing requirements** to **Require signature**. If you set the server to require LDAP signatures, you must also set the client devices to do so. Not setting the client devices will prevent client computers from communicating with the server. This can cause many features to fail, including user authentication, Group Policy, and logon scripts.
- Set both the **Network security: LDAP client signing requirements** and **Domain controller: LDAP server signing requirements** settings to **Require signing**. To avoid usage of unsigned traffic, set both client and server sides to require signing. Not setting one of the sides will prevent client computers from communicating with the server. This can cause many features to fail, including user authentication, Group Policy, and logon scripts.
### Location
@ -84,11 +84,11 @@ Unsigned network traffic is susceptible to man-in-the-middle attacks in which an
### Countermeasure
Configure the **Network security: LDAP server signing requirements** setting to **Require signature**.
Configure the **Network security: LDAP client signing requirements** setting to **Require signing**.
### Potential impact
If you configure the server to require LDAP signatures, you must also configure the client computers. If you do not configure the client devices, they cannot communicate with the server, which could cause many features to fail, including user authentication, Group Policy, and logon scripts.
If you configure the client to require LDAP signatures, it may fail to communicate with the LDAP servers that do not require requests to be signed. To avoid this issue, make sure that both the **Network security: LDAP client signing requirements** and **Domain controller: LDAP server signing requirements** settings are set to **Require signing**.
## Related topics

26
windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
View File

@ -19,7 +19,7 @@ ms.date: 08/17/2017
# Create an Authentication Request Rule
**Applies to**
**Applies to:**
- Windows 10
- Windows Server 2016
@ -27,9 +27,9 @@ After you have configured IPsec algorithms and authentication methods, you can c
**Administrative credentials**
To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the (Group Policy Objects) GPOs.
To create the authentication request rule
To create the authentication request rule:
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
@ -39,9 +39,10 @@ To create the authentication request rule
4. On the **Requirements** page, select **Request authentication for inbound and outbound connections**.
>**Caution:**  Do not configure the rule to require inbound authentication until you have confirmed that all of your devices are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the devices to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network.
> [!CAUTION]
> Do not configure the rule to require inbound authentication until you have confirmed that all of your devices are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the devices to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network.
5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are tried in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP).
5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are attempted in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP).
1. **Default**. Selecting this option tells the device to request authentication by using the method currently defined as the default on the device. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods](configure-authentication-methods.md) procedure.
@ -49,7 +50,9 @@ To create the authentication request rule
3. **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows.
4. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
4. **Advanced**. Selecting this option enables you to specify a custom combination of authentication methods required for your scenario.
6. Optional: If you selected **Advanced** in the previous step, then Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
The **First authentication method** can be one of the following:
@ -75,18 +78,19 @@ To create the authentication request rule
If you check **Second authentication is optional**, the connection can succeed even if the authentication attempt specified in this column fails.
>**Important:**  Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails.
> [!IMPORTANT]
> Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails.
6. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**.
7. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**.
7. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies.
8. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies.
- On portable devices, consider clearing the **Private** and **Public** boxes to enable the device to communicate without authentication when it is away from the domain network.
- On devices that do not move from network to network, consider selecting all of the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule.
- On devices that do not move from network to network, consider selecting all the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule.
Click **Next**.
8. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**.
9. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**.
The new rule appears in the list of connection security rules.

38
windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
View File

@ -27,30 +27,42 @@ After you collect information about your environment and decide on a design by f
## Reviewing your Windows Defender Firewall with Advanced Security Design
If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points:
If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure the deployment team reviews the final design with the design team. Review the following information before starting your deployment.
- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide:
### Decide which devices apply to which GPO
- [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide:
- [Planning the GPOs](planning-the-gpos.md)
- [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
- [Planning GPO Deployment](planning-gpo-deployment.md)
- [Planning the GPOs](planning-the-gpos.md)
- The communication to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list.
- [Planning GPO Deployment](planning-gpo-deployment.md)
- The recommendation that domain controllers are exempted from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers.
### Configure communication between members and devices
- The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior, so communications can continue while the authentication failures are investigated.
Decide what communication is to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list.
- The requirement that all devices that must communicate with each other share a common set of:
### Exempt domain controllers from IPsec authentication requirements
- Authentication methods
It is recommended that domain controllers are exempt from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers.
- Main mode key exchange algorithms
### Configure IPsec authentication rules
- Quick mode data integrity algorithms
The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior. Communications can continue while the authentication failures are investigated.
If at least one set of each does not match between two devices, then the devices cannot successfully communicate.
### Make sure all devices can communicate with each other
For all devices to communicate with each other, they must share a common set of:
- Authentication methods
- Main mode key exchange algorithms
- Quick mode data integrity algorithms
If at least one set of each does not match between two devices, then the devices cannot successfully communicate.
## Deploy your Windows Firewall Design Plan
After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Defender Firewall design. For more information, see [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md).

3
windows/security/threat-protection/windows-platform-common-criteria.md
View File

@ -23,6 +23,7 @@ Microsoft is committed to optimizing the security of its products and services.
The Security Target describes security functionality and assurance measures used to evaluate Windows.
- [Microsoft Windows 10 (November 2019 Update)](https://download.microsoft.com/download/b/3/7/b37981cf-040a-4b02-a93c-a3d3a93986bf/Windows%2010%201909%20GP%20OS%20Security%20Target.pdf)
- [Microsoft Windows 10 (May 2019 Update)](https://download.microsoft.com/download/c/6/9/c6903621-901e-4603-b9cb-fbfe5d6aa691/Windows%2010%201903%20GP%20OS%20Security%20Target.pdf)
- [Microsoft Windows 10 (October 2018 Update)](https://download.microsoft.com/download/3/f/e/3fe6938d-2c2d-4ef1-85d5-1d42dc68ea89/Windows%2010%20version%201809%20GP%20OS%20Security%20Target.pdf)
- [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
@ -61,6 +62,7 @@ These documents describe how to configure Windows to replicate the configuration
**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2**
- [Microsoft Windows 10 (November 2019 Update)](https://download.microsoft.com/download/7/7/3/77303254-05fb-4009-8a39-bf5fe7484a41/Windows%2010%201909%20GP%20OS%20Administrative%20Guide.pdf)
- [Microsoft Windows 10 (May 2019 Update)](https://download.microsoft.com/download/0/b/b/0bb1c6b7-499a-458e-a5f8-e9cf972dfa8d/Windows%2010%201903%20GP%20OS%20Administrative%20Guide.pdf)
- [Microsoft Windows 10 (October 2018 Update)](https://download.microsoft.com/download/f/f/1/ff186e32-35cf-47db-98b0-91ff11763d74/Windows%2010%20version%201809%20GP%20OS%20Administrative%20Guide.pdf)
- [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf)
@ -140,6 +142,7 @@ These documents describe how to configure Windows to replicate the configuration
An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team.
- [Microsoft Windows 10 (November 2019 Update)](https://download.microsoft.com/download/9/f/3/9f350b73-1790-4dcb-97f7-a0e65a00b55f/Windows%2010%201909%20GP%20OS%20Certification%20Report.pdf)
- [Microsoft Windows 10 (May 2019 Update)](https://download.microsoft.com/download/2/1/9/219909ad-2f2a-44cc-8fcb-126f28c74d36/Windows%2010%201903%20GP%20OS%20Certification%20Report.pdf)
- [Microsoft Windows 10 (October 2018 Update)](https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf)
- [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)