deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 11:23:45 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

merge two branches

Browse Source
This commit is contained in:
Joey Caparas
2016-07-25 17:07:21 +10:00
parent 4df27da188
commit 053e70b860
26 changed files with 484 additions and 132 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
View File

@ -14,11 +14,9 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
As a security operations team member, you can manage Windows Defender ATP alerts as part of your routine activities. Alerts will appear in queues according to their current status.
To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.

7
windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
View File

@ -11,16 +11,13 @@ author: mjcaparas
---
# Assign user access to the Windows Defender ATP portal
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Azure Active Directory
<!--Office 365-->
- Office 365
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). User can be assigned one of the following levels of permissions:
- Full access (Read and Write)
- Read only access

84
windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,84 @@
---
title: Configure an Azure Active Directory application for SIEM integration
description: Configure an Azure Active Directory application so that it can communicate with supported SIEM tools.
keywords: configure aad for siem integration, siem integration, application, oauth 2
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Configure an Azure Active Directory application for SIEM integration
**Applies to:**
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP application to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal.
1. Login to the [Azure management portal](https://manage.windowsazure.com).
2. Select **Active Directory**.
3. Select your tenant.
4. Select **Applications**, then select **Add** to create a new application.
5. Select **Add an application my organization is developing**.
6. Choose a client name for the application, for example, *Alert Export Client*.
7. Select **WEB APPLICATION AND/OR WEB API**.
8. Assign a sign-on URL and app ID URI to the application, for example, `https://alertexportclient`.
9. Confirm the request details and verify that you have successfully added the app.
10. Select the application you've just created from the directory application list and select **Configure**.
11. Type the following URL in the **Reply URL** field: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchAccessTokenFromAuthCode`.
12. Scroll down to the **keys** section and select a duration for the application key.
13. Select **Save** and copy the key in a safe place. You'll need this key to authenticate the client application on Azure Active Directory.
14. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=<tenant ID>&clientSecret=1234`. An Azure login page appears.
> **Notes:**&nbsp;&nbsp;
- Replace *tenant ID* with your actual tenant ID.
- Keep the client secret as is. This is a dummy value, but the parameter must appear.
15. Sign in with the credentials of a user from your tenant.
16. Select **Accept** to provide consent. Ignore the error.
17. Select **Application configuration** under your tenant.
18. Select **Permissions to other applications**, then select **Add application**.
19. Select **All apps** from the **SHOW** field and submit.
20. Select **SevilleAlertExport** [RONEN, I ASSUME THIS WILL BE RENAMED?], then select **+** to add the application. You should see it on the **SELECTED** panel.
21. Submit your changes.
22. On the **SevilleAlertExport** record, in the **Delegated Permissions** field, select **Access SevilleAlertExport**.
23. Save the application changes.
After configuring the application in AAD, you can continue to configure the SIEM tool that you want to use.
RONEN - I THINK I'M MISSING SOME STEPS HERE - I THINK I NEED TO PUT IN INFORMATION ON CLICK VIEW ENDPOINT SO THAT CUSTOMERS CAN SEE THEIR OAUTH 2 TOKEN ENDPOINT AND OAUTH 2 AUTHORIZATION ENDPOINT DETAILS.
SHOULD I INCLUDE THOSE INFORMATION HERE? OR CREATE A SEPARATE TOPIC FOR THAT? OR INCLUDE IT IN THE SPLUNK/ARCSIGHT STEPS?
## Related topics
- Configure Splunk
- Configure HP ArcSight

67
windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,67 @@
---
title: Configure HP ArcSight to consume Windows Defender ATP alerts
description: Configure HP ArcSight to receive and consume alerts from the Windows Defender ATP portal.
keywords: configure hp arcsight, security information and events management tools, arcsight
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Configure HP ArcSight to consume Windows Defender ATP alerts
**Applies to:**
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
You'll need to configure HP ArcSight so that it can consume Windows Defender ATP alerts.
### Before you begin
- Get the following information from your Azure Active Directory (AAD) application:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
- OAuth 2 Client secret
- Create your OAUth 2 Client properties file or get it from your Windows Defender ATP contact. For more information, see I NEED URL FOR THE HYPERLINK HERE TO WHERE YOU GOT THE ARCSIGHT DEVELOPER'S GUIDE PDF.
- Get the *wdatp-connector.properties* file from your Windows Defender ATP contact. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format.
- Install the HP ArcSight REST FlexConnector package on a server that has access to the Internet. (RONEN - MAY I HAVE THE LINK FROM WHERE CUSTOMERS CAN DOWNLOAD THE PACKAGE)
- Contact the Windows Defender ATP team to provide you your refresh token or follow the steps in the section "Run restutil to Obtain a Refresh Token for Connector Appliance/ArcSight Management Center" in _______ NEED LINK TO THE PDF AGAIN HERE.
## Configure HP ArcSight
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin)
1. Copy the *wdatp-connector.jsonparser.properties* file into the `<root>\current\user\agent\flexagent` folder of the connector installation folder.
2. Save the *wdatp-connector.properties* file into a folder of your choosing.
3. Open an elevated command-line:
a. Click **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
4. Enter the following command and press **Enter**: ```runagentsetup.bat```. The Connector Setup pop-up window appears.
5. In the form fill in the following required fields with these values:
Field | Value
:---|:---
Configuration File | Type in the name of the client property file. It must match the client property file.
Events URL | `https://DataAccess-PRD.trafficmanager.net:444/api/alerts`
Authentication Type | OAuth 2
OAuth 2 Client Properties File | Select *wdatp-connector.properties*.
Refresh Token | Paste the refresh token that your Windows Defender ATP contact provided, or you the one you get after running the `restutil` tool.
All other values in the form are optional and can be left blank.
6. Select **Next**, then **Save**.
7. Run the connector. You can choose to run in service mode or application mode. RONEN - Should this be Service mode or Application mode (capitalized S and capitalized A?)
8. In the HP ArcSight console, create a **Windows Defender ATP** channel with an intervals and properties suitable to your enterprise needs.
## Related topic
- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)

8
windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Configure Windows Defender ATP endpoints
description: Use Group Policy or SCCM to deploy the configuration package or do manual registry changes on endpoints so that they are onboarded to the service.
keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm, system center configuration manager
description: Configure endpoints so that they are onboarded to the service.
keywords: configure endpoints, client onboarding, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -14,11 +14,9 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Endpoints in your organization must be configured so that the Windows Defender ATP service can get telemetry from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization.
Windows Defender ATP supports the following deployment tools and methods:

83
windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -15,11 +15,9 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service.
The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service.
@ -30,6 +28,8 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
- Configure the proxy server manually using Netsh
- Configure the proxy server manually using a static proxy
## Configure Web Proxy Auto Detect (WPAD) settings and proxy server
Configure WPAD in the environment and configure Windows to automatically detect the proxy server through Policy or the local Windows settings.
@ -112,72 +112,79 @@ netsh winhttp show proxy
For more information on how to use Netsh see, [Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP)](https://technet.microsoft.com/en-us/library/cc731131(v=ws.10).aspx)
## Configure the proxy server manually using a static proxy
Configure a static proxy to allow only Windows Defender ATP sensor to report telemetry and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
1. Click **Start**, type **Run**, and press **Enter**.
2. From the **Run** dialog box, type **regedit** and press **Enter**.
3. In the **Registry Editor** navigate to the Status key under:
```text
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection
```
4. Right-click **DataCollection** and select **New** > **String value**.
5. Write the proxy address in the following format:
```
[proxy_ip:port]
```
6. Restart the PC.
## Enable access to Windows Defender ATP service URLs in the proxy server
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
U.S. region:
- *.blob.core.windows.net
- crl.microsoft.com
- us.vortex-win.data.microsoft.com
- winatp-gw-cus.microsoft.com
- winatp-gw-eus.microsoft.com
- www.microsoft.com
EU region:
- *.blob.core.windows.net
- crl.microsoft.com
- eu.vortex-win.data.microsoft.com
- sevillegwcus.microsoft.com
- sevillegweus.microsoft.com
- sevillegwneu.microsoft.com
- sevillegwweu.microsoft.com
- us.vortex-win.data.microsoft.com
- winatp-gw-weu.microsoft.com
- winatp-gw-neu.microsoft.com
- www.microsoft.com
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted to the above listed URLs.
## Verify client connectivity to Windows Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
1. Download the connectivity verification tools to the PC where Windows Defender ATP sensor is running on:
1. Download the connectivity verification tool to the PC where Windows Defender ATP sensor is running on:
- [Download PsTools Suite](https://technet.microsoft.com/en-us/sysinternals/bb896649)
- [Download PortQry Command Line Port Scanner Version 2.0 utility](https://www.microsoft.com/en-us/download/details.aspx?id=17148)
- Download Snapshot - NEED LINK ON WHERE TO DOWNLOAD THIS.
2. Extract the contents of **PsTools** and **PortQry** to a directory on the computer hard drive.
3. Open an elevated command-line:
2. Open an elevated command-line:
a. Click **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
4. Enter the following command and press **Enter**:
3. Enter the following command and press **Enter**:
```
HardDrivePath\PsExec.exe -s cmd.exe
HardDrivePath\PsExec.exe -s -i HardDrivePath\SenseSnapshot.exe
```
Replace *HardDrivePath* with the path where the PsTools Suite was extracted to:
![Image showing the command line](images/psexec-cmd.png)
Replace *HardDrivePath* with the path where the SenseSnapshot tool was downloaded to, for example ```C:\Programfiles\mytool\sensesnapshottool\SenseSnapshot.exe```.
5. Enter the following command and press **Enter**:
4. Extract the Snapshot.xml file from the Snapshot.zip created in the *HardDrivePath* folder.
```
HardDrivePath\portqry.exe -n us.vortex-win.data.microsoft.com -e 443 -p tcp
```
Replace *HardDrivePath* with the path where the PortQry utility was extracted to:
![Image showing the command line](images/portqry.png)
5. Open Snapshot.xml using any XML reader and go to the Connections section of the file.
6. Verify that the output shows that the name is **resolved** and connection status is **listening**.
7. Repeat the same steps for the remaining URLs with the following arguments:
- portqry.exe -n eu.vortex-win.data.microsoft.com -e 443 -p tcp
- portqry.exe -n sevillegwcus.microsoft.com -e 443 -p tcp
- portqry.exe -n sevillegweus.microsoft.com -e 443 -p tcp
- portqry.exe -n sevillegwweu.microsoft.com -e 443 -p tcp
- portqry.exe -n sevillegwneu.microsoft.com -e 443 -p tcp
- portqry.exe -n www.microsoft.com -e 80 -p tcp
- portqry.exe -n crl.microsoft.com -e 80 -p tcp
8. Verify that each URL shows that the name is **resolved** and the connection status is **listening**.
6. Verify that the **Result** field of each relevant URL shows that the name is **resolved** and connection status is **listening**.
If the any of the verification steps indicate a fail, then verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
> **Note**&nbsp;&nbsp;SenseSnapshot verifies connectivity for all URLs (including EU and U.S.), so you can ignore results of connectivity verification for irrelevant geo-locations.
## Related topics
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

54
windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,54 @@
---
title: Configure security information and events management tools
description: Configure supported security information and events management tools to receive and consume alerts.
keywords: configure siem, security information and events management tools, splunk, arcsight
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Configure security information and events management (SIEM) tools to consume alerts
**Applies to:**
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Windows Defender ATP supports security information and events management (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure Active Directory (AAD). The endpoint can be configured to get alerts from your enterprise tenant in AAD using the OAuth 2.0 authentication protocol in an application hosted in AAD.
Windows Defender ATP supports the following SIEM tools:
- Splunk
- HPE ArcSight
To use either of these supported SIEM tools you'll need to:
- [Configure an Azure Active Directory application for SIEM integration in your tenant](configure-aad-windows-defender-advanced-threat-protection.md)
- Configure the supported SIEM tool:
- Configure Splunk to consume alerts
- Configure HP ArcSight to consume alerts
After configuring the application, you need to take note of the following values:
You need to use these values in your SIEM tool to configure them.
For Splunk you need these values:
For HP ArcSight you need these values:
To get the refresh token:
- if using Splunk - your MS representative will provide this to you
- if using HP ArcSight - you need to run restutil

70
windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,70 @@
---
title: Configure Splunk to consume Windows Defender ATP alerts
description: Configure Splunk to receive and consume alerts from the Windows Defender ATP portal.
keywords: configure splunk, security information and events management tools, splunk
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Configure Splunk to consume Windows Defender ATP alerts
**Applies to:**
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
You'll need to configure Splunk so that it can consume Windows Defender ATP alerts.
### Before you begin
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk (RONEN - please check if this link is correct.)
- Contact the Windows Defender ATP team to provide you your refresh token
- Get the following information from your Azure Active Directory (AAD) application:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
- OAuth 2 Client secret
## Configure Splunk
1. Login in to Splunk.
2. Select **Search & Reporting**, then **Settings** > **Data inputs**.
3. Select **REST** under **Local inputs**.
> **Note**&nbsp;&nbsp;This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
4. Select **New**.
5. In the form fill in the following required fields with these values:
Field | Value
:---|:---
Endpoint URL | `https://DataAccess-PRD.trafficmanager.net:444/api/alerts`
HTTP Method | GET
Authentication Type | oauth2
OAuth 2 Token Refresh URL | Value taken from AAD application
OAuth 2 Client ID | Value taken from AAD application
OAuth 2 Client Secret | Value taken from AAD application
Response type | json
Response Handler | JSONArrayHandler
Polling Interval | Number of seconds that Splunk will ping the Windows Defender ATP endpoint. Accepted values are in seconds.
Set sourcetype | From list
Source type | _json
All other values in the form are optional and can be left blank.
6. Select **Save**.
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
Some sample queries are: RONEN - PLEASE CHECK IF THE FOLLOWING ARE CORRECT - THANK YOU
```source="rest://windows atp alerts"```
```source="rest://windows atp alerts"|spath|table*```
## Related topic
- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)

4
windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
View File

@ -14,11 +14,9 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
The **Dashboard** displays a snapshot of:
- The latest active alerts on your network

23
windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
View File

@ -14,13 +14,11 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP.
> **Note**&nbsp;&nbsp;This document covers the information specific to the Windows Defender ATP service. Other data shared and stored by Windows Defender and Windows 10 is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See the [Windows 10 privacy FAQ for more information](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq).
> **Note**&nbsp;&nbsp;This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender and Windows 10, see [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See also [Windows 10 privacy FAQ](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq) for more information.
## What data does Windows Defender ATP collect?
@ -28,7 +26,7 @@ Microsoft will collect and store information from your configured endpoints in a
Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version).
Microsoft stores this data in a Microsoft Azure security-specific data store, and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/).
Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/).
Microsoft uses this data to:
- Proactively identify indicators of attack (IOAs) in your organization
@ -39,10 +37,10 @@ Microsoft does not mine your data for advertising or for any other purpose other
## Do I have the flexibility to select where to store my data?
Data for this new service is stored in Microsoft Azure datacenters in the United States and European Union based on the geolocation properties. Subject to the relevant preview program you may be able to specify your preferred geolocation when you onboard to the service. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations in which your data will reside. Microsoft will not transfer the data from the specified geolocation except in specific circumstances during the preview stage.
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
## Is my data isolated from other customer data?
Yes. The new cloud service provides appropriate segregation at a number of levels, such as isolation of files, configurations, and telemetry data. Aside from data access authentication, simply keeping different data appropriately segregated provides well-recognized protection.
Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
## How does Microsoft prevent malicious insider activities and abuse of high privilege roles?
@ -58,12 +56,18 @@ Additionally, Microsoft conducts background verification checks of certain opera
No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which dont contain any customer specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
## How long will Microsoft store my data? What is Microsofts data retention policy?
Your data privacy is one of Microsoft's key commitments for the cloud. For this service, at contract termination or expiration, your data will be erased from Microsofts systems to make it unrecoverable after 90 days (from contract termination or expiration).
**At service onboarding**<br>
You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. Theres a flexibility of choosing in the range of 1 month to six months to meet your companys regulatory compliance needs.
**At contract termination or expiration**<br>
Your data will be kept for a period of at least 90 days, during which it will be available to you. At the end of this period, that data will be erased from Microsofts systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
## Can Microsoft help us maintain regulatory compliance?
Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP has a roadmap for obtaining national, regional and industry-specific certifications, starting with ISO 27001. The service is designed, implemented, and maintained according to the compliance and privacy principles of ISO 27001, as well as Microsofts compliance standards.
By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service.
<!--
## Is there a difference between how Microsoft handles data for the preview programs and for General Availability?
Subject to the preview program you are in, you could be asked to choose to store your data in a datacenter either in Europe or United States. Your data will not be copied or moved outside of the datacenter you choose, except in the following specific circumstance:
@ -72,4 +76,5 @@ Subject to the preview program you are in, you could be asked to choose to store
In this circumstance, the submitted file will be sent to the US deep analysis laboratory. The results of the analysis will be stored in the European datacenter, and the file and data will be deleted from the US deep analysis laboratory and datacenter.
This is a temporary measure as we work to integrate our deep analysis capabilities into the European datacenter. If you have any concerns or questions about submitting files for deep analysis and you are using a European datacenter, or if youd like to be updated as to when the European deep analysis lab is online, email [winatp@microsoft.com](mailto:winatp@microsoft.com).
This is a temporary measure as we work to integrate our deep analysis capabilities into the European datacenter. If you have any concerns or questions about submitting files for deep analysis and you are using a European datacenter, or if youd like to be updated as to when the European deep analysis lab is online, email [winatp@microsoft.com](mailto:winatp@microsoft.com).-->

28
windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,28 @@
---
title: Windows Defender compatibility
description: Learn about how Windows Defender works with Windows Defender ATP.
keywords: windows defender compatibility, defender, windows defender atp
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Windows Defender compatibility
**Applies to:**
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender on that endpoint will enter into passive mode.
Windows Defender will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
The Windows Defender interface will be disabled, and users on the endpoint will not be able to use Windows Defender to perform on-demand scans or configure most options.
For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).

4
windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
View File

@ -15,11 +15,9 @@ author: iaanw
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/en-US/library/aa745633(v=bts.10).aspx) on individual endpoints.
For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.

31
windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
View File

@ -14,11 +14,9 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Alerts in Windows Defender ATP indicate possible security breaches on endpoints in your organization.
There are three alert severity levels, described in the following table.
@ -43,17 +41,38 @@ Details displayed about the alert include:
- When the alert was last observed
- Alert description
- Recommended actions
- The potential scope of breach
- The incident graph
- The indicators that triggered the alert
![A detailed view of an alert when clicked](images/alert-details.png)
Alerts attributed to an adversary or actor display a colored tile with the actor name.
Click on the actor's name to see a threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, tools, tactics, and processes (TTPs) as well as areas where it's active worldwide. You will also see a set of recommended actions to take.
Some actor profiles include a link to download a more comprehensive threat intelligence report.
![A detailed view of an alert when clicked](images/alert-details.png)
## Incident graph
The incident graph provides a visual representation of where an alert was seen, events that triggered the alert, and which other machines are affected by the event. It provides an illustrated alert footprint on the original machine and expands to show the footprint of each alert event on other machines.
You can click the circles on the incident graph to expand the nodes and view the associated events or files related to the alert.
## Alert spotlight
The alert spotlight feature helps ease investigations by highlighting alerts related to a specific machine and events. You can highlight an alert and its related events in the machine timeline to increase your focus during an investigation.
You can click on the machine link from the alert view to see the alerts related to the machine.
> **Note**&nbsp;&nbsp;This shortcut is not available from the Incident graph machine links.
Alerts related to the machine are displayed under the **Alerts related to this machine** section.
Clicking on an alert row takes you the to the date in which the alert was flagged on **Machine timeline**. This eliminates the need to manually filter and drag the machine timeline marker to when the alert was seen on that machine.
You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and other events that occurred on the machine. Right-click on any alert from either section and select **Mark related events**. This highlights alerts and events that are related and helps differentiate between the other alerts listed in the timeline. Highlighted events are displayed in all filtering modes whether you choose to view the timeline by **Detections**, **Behaviours**, or **Verbose**.
You can also remove the highlight by right-clicking a highlighted alert and selecting **Unmark related events**.
### Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)

4
windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
View File

@ -13,11 +13,9 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
You can see information from the following sections in the URL view:

8
windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
View File

@ -13,11 +13,9 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
You can get information from the following sections in the file view:
@ -84,7 +82,7 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
> **Note**&nbsp;&nbsp;Depending on machine availability, sample collection time can vary. There is a 3-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.
> **Note**&nbsp;&nbsp;Depending on machine availability, sample collection time can vary. There is a 1-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.
## View deep analysis report
@ -121,7 +119,7 @@ HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection
Value = 0 - block sample collection
Value = 1 - allow sample collection
```
5. Change the organizational unit through the Group Policy. See [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
5. Change the organizational unit through the Group Policy. See [Configure with Group Policy](configure-gp-windows-defender-advanced-threat-protection.md).
6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
> **Note**&nbsp;&nbsp;If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.

5
windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
View File

@ -13,12 +13,9 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Examine possible communication between your machines and external internet protocol (IP) addresses.
Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines.

6
windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -14,11 +14,9 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, and the number of active malware detections. This view allows you to identify machines with the highest risk at a glance, and keep track of all the machines that are reporting telemetry in your network.
Use the Machines view in these two main scenarios:
@ -100,6 +98,8 @@ You'll see an aggregated view of alerts, a short description of the alert, detai
This feature also enables you to selectively drill down into a behavior or event that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period.
You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alerts-spotlight) feature to see the correlation between alerts and events on a specific machine.
![The timeline shows an interactive history of the alerts seen on a machine](images/timeline.png)
Use the search bar to look for specific alerts or files associated with the machine.

4
windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
View File

@ -14,11 +14,9 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Windows Defender ATP notifies you of detected, possible attacks or breaches through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu.
See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts) topic for more details on how to investigate alerts.

56
windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -14,11 +14,9 @@ author: iaanw
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
There are some minimum requirements for onboarding your network and endpoints.
## Minimum requirements
@ -35,7 +33,12 @@ When you run the onboarding wizard for the first time, you must choose where you
- Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data.
### Endpoint hardware and software requirements
Endpoints on your network must be running Windows 10 Insider Preview Build 14332 or later. The hardware requirements for Windows Defender ATP on endpoints is the same as those for Windows 10 Insider Preview Build 14332 or later.
The Windows Defender ATP agent only supports Windows 10, version 1607.
Endpoints on your network must be running Windows 10, version 1607.
The hardware requirements for Windows Defender ATP on endpoints is the same as those for Windows 10, version 1607.
> **Note**&nbsp;&nbsp;Endpoints that are running Windows Server and mobile versions of Windows are not supported.
@ -43,4 +46,49 @@ Internet connectivity on endpoints is also required. See [Configure Windows Defe
Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10, but if it has been disabled you can turn it on by following the instructions in the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section.
### Telemetry and diagnostics settings
You must ensure that the telemetry and diagnostics service is enabled on all the endpoints in your organization.
By default, this service is enabled, but it's good practice to check to ensure that you'll get telemetry from them.
**Use the command line to check the Windows 10 telemetry and diagnostics service startup type**:
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc qc diagtrack
```
If the service is enabled, then the result should look like the following screenshot:
![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
**Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:**
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc config diagtrack start=auto
```
3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
```text
sc qc diagtrack
```

5
windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
View File

@ -14,13 +14,12 @@ author: iaanw
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You need to onboard to Windows Defender ATP before you can use the service.
## In this section
Topic | Description
:---|:---

11
windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
View File

@ -14,12 +14,9 @@ author: DulceMV
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Enterprise security teams can use the Windows Defender ATP portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to:
@ -44,12 +41,12 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
(1) Settings | Provides access to configuration settings such as time zone, alert suppression rules, and license information.
(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Endpoint Management**.
(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Enpoint Management**.
**Dashboard** | Provides clickable tiles that open detailed information on various alerts that have been detected in your organization.
**Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
**Machines view**| Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
**Preferences setup**| Shows the settings you selected <!--during [service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md),-->and lets you update your industry preferences and retention policy period.
**Endpoint Management**| Allows you to download the onboarding configuration package.
**Preferences setup**| Shows the settings you selected and lets you update your industry preferences and retention policy period.
**Enpoint Management**| Allows you to download the onboarding configuration package.
(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view.
(4) Search | Search for machines, files, external IP Addresses, or domains across endpoints. The drop-down combo box allows you to select the entity type.

4
windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
View File

@ -14,11 +14,9 @@ author: DulceMV
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Use the **Settings** menu ![Settings icon](images/settings.png) to configure the time zone, suppression rules, and view license information.
## Time zone settings

34
windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -14,17 +14,15 @@ author: iaanw
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607.
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You might need to troubleshoot the Windows Defender Advanced Threat Protection onboarding process if you encounter issues.
This page provides detailed steps for troubleshooting endpoints that aren't reporting correctly, and common error codes encountered during onboarding. <!--and steps for resolving problems with Azure Active Directory (AAD).-->
## Endpoints are not reporting to the service correctly
If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after 20 minutes, it might indicate an endpoint onboarding or connectivity problem.
If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an endpoint onboarding or connectivity problem.
Go through the following verification topics to address this issue:
@ -43,22 +41,21 @@ If the endpoints aren't reporting correctly, you might need to check that the Wi
2. From the **Run** dialog box, type **regedit** and press **Enter**.
4. In the **Registry Editor** navigate to the Status key under:
3. In the **Registry Editor** navigate to the Status key under:
```text
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection
```
5. Check the **OnboardingState** value is set to **1**.
4. Check the **OnboardingState** value is set to **1**.
![Image of OnboardingState status in Registry Editor](images/onboardingstate.png)
If the **OnboardingState** value is not set to **1**, you can use Event Viewer to review errors on the endpoint.
If you configured your endpoints with a deployment tool that required a script, you can check the event viewer for the onboarding script results.
<br>
**Check the result of the script**:
You can check the event viewer for the onboarding script results.
**Check the result of the script**:
1. Click **Start**, type **Event Viewer**, and press **Enter**.
2. Go to **Windows Logs** > **Application**.
@ -73,12 +70,13 @@ Event ID | Error Type | Resolution steps
5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```
10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```. Verify that the script was ran as an administrator.
15 | Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).
30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location ```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```. The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location ```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```. The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
<br>
**Use Event Viewer to identify and adress onboarding errors**:
**Use Event Viewer to identify and address onboarding errors**:
1. Click **Start**, type **Event Viewer**, and press **Enter**.
@ -105,6 +103,7 @@ Event ID | Message | Resolution steps
25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
### Ensure the Windows Defender ATP service is enabled
If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service is set to automatically start and is running on the endpoint.
@ -128,7 +127,7 @@ If the the service is running, then the result should look like the following sc
![Result of the sq query sense command](images/sc-query-sense-autostart.png)
If the service ```START_TYPE``` is not set to ```AUTO_START```, then you'll need to set the service to automatically start.
If the service `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
**Change the Windows Defender ATP service startup type from the command line:**
@ -216,7 +215,7 @@ If the service is enabled, then the result should look like the following screen
![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
If the ```START_TYPE``` is not set to ```AUTO_START```, then you'll need to set the service to automatically start.
If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
@ -354,6 +353,9 @@ To ensure that sensor has service connectivity, follow the steps described in th
If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.
## Cyber events are not showing up on the portal and logs show event ID 28
If you don't see cyber events in the portal and checking the logs show the event that states _Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed_, you'll need to make sure that the diagnostics service is enabled and running. For more information on how to check, see [Ensure the service is running](#ensure-the-service-is-running).
## Troubleshoot onboarding issues using Microsoft Intune
You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.

4
windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
View File

@ -13,11 +13,9 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
### Server error - Access is denied due to invalid credentials

4
windows/keep-secure/use-windows-defender-advanced-threat-protection.md
View File

@ -14,11 +14,9 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
A typical security breach investigation requires a member of a security operations team to:
1. View an alert on the **Dashboard** or **Alerts queue**

4
windows/keep-secure/windows-defender-advanced-threat-protection.md
View File

@ -14,11 +14,9 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: