mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-13 05:47:23 +00:00
Merge branch 'master' into removing-provisioned-apps-from-windows
This commit is contained in:
Heidi Lohr
commit
059e5f53cc
@ -13624,5 +13624,62 @@
|
||||
"source_path": "windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md",
|
||||
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection",
|
||||
"redirect_document_id": true
|
||||
}]
|
||||
},
|
||||
{
|
||||
"source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md",
|
||||
"redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709.md",
|
||||
"redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields.md",
|
||||
"redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/configuration/configure-windows-diagnostic-data-in-your-organization.md",
|
||||
"redirect_url": "/windows/privacy/configure-windows-diagnostic-data-in-your-organization",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/configuration/diagnostic-data-viewer-overview.md",
|
||||
"redirect_url": "/windows/privacy/diagnostic-data-viewer-overview",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields.md",
|
||||
"redirect_url": "/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/configuration/gdpr-win10-whitepaper.md",
|
||||
"redirect_url": "/windows/privacy/gdpr-win10-whitepaper",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md",
|
||||
"redirect_url": "/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/configuration/manage-windows-endpoints-version-1709.md",
|
||||
"redirect_url": "/windows/privacy/manage-windows-endpoints",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/configuration/windows-diagnostic-data-1703.md",
|
||||
"redirect_url": "/windows/privacy/windows-diagnostic-data-1703",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/configuration/windows-diagnostic-data.md",
|
||||
"redirect_url": "/windows/privacy/windows-diagnostic-data",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
|
||||
]
|
||||
}
|
||||
|
||||
@ -5,7 +5,9 @@ ms.prod: edge
|
||||
ms.mktglfcycl: explore
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: high
|
||||
ms.date: 09/19/2017
|
||||
ms.date: ''
|
||||
ms.author: pashort
|
||||
author: shortpatti
|
||||
---
|
||||
|
||||
# Change history for Microsoft Edge
|
||||
|
||||
@ -2,6 +2,8 @@
|
||||
description: A full-sized view of the Microsoft Edge infographic.
|
||||
title: Full-sized view of the Microsoft Edge infographic
|
||||
ms.date: 11/10/2016
|
||||
ms.author: pashort
|
||||
author: shortpatti
|
||||
---
|
||||
|
||||
Return to: [Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)<br>
|
||||
|
||||
@ -7,6 +7,8 @@ ms.pagetype: security
|
||||
title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)
|
||||
ms.localizationpriority: high
|
||||
ms.date: 10/16/2017
|
||||
ms.author: pashort
|
||||
author: shortpatti
|
||||
---
|
||||
|
||||
# Security enhancements for Microsoft Edge
|
||||
|
||||
@ -1,15 +1,4 @@
|
||||
# [Configure Windows 10](index.md)
|
||||
## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
|
||||
## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
|
||||
## [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
|
||||
## [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
|
||||
## [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
|
||||
## [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
|
||||
## [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md)
|
||||
## [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md)
|
||||
## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)
|
||||
## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
|
||||
## [Manage Windows 10 connection endpoints](manage-windows-endpoints-version-1709.md)
|
||||
## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
|
||||
## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md)
|
||||
### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
|
||||
|
||||
@ -30,6 +30,20 @@ The topics in this library have been updated for Windows 10, version 1803. The f
|
||||
- Windows Configuration Designer setting: [AccountManagement](wcd/wcd-accountmanagement.md)
|
||||
- Windows Configuration Designer setting: [RcsPresence](wcd/wcd-rcspresence.md)
|
||||
|
||||
The following topics were moved into the [Privacy](/windows/privacy/index) library:
|
||||
|
||||
- [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization)
|
||||
- [Diagnostic Data Viewer Overview](/windows/privacy/diagnostic-data-viewer-overview)
|
||||
- [Windows 10, version 1803 basic level Windows diagnostic events and fields](/windows/privacy/basic-level-windows-diagnostic-events-and-fields)
|
||||
- [Windows 10, version 1709 basic level Windows diagnostic events and fields](/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709)
|
||||
- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703)
|
||||
- [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields)
|
||||
- [Windows 10, version 1709 diagnostic data for the Full level](/windows/privacy/windows-diagnostic-data)
|
||||
- [Windows 10, version 1703 diagnostic data for the Full level](/windows/privacy/windows-diagnostic-data-1703)
|
||||
- [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](/windows/privacy/gdpr-win10-whitepaper)
|
||||
- [Manage connections from Windows operating system components to Microsoft services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services)
|
||||
- [Manage Windows 10 connection endpoints](/windows/privacy/manage-windows-endpoints-version-1709)
|
||||
|
||||
## April 2018
|
||||
|
||||
New or changed topic | Description
|
||||
|
||||
@ -47,7 +47,7 @@ Windows 10, version 1607 (also known as the Anniversary Update), provides organi
|
||||
| Windows 10 Pro Education | Yes (default) | Yes | No (setting cannot be changed) |
|
||||
| Windows 10 Education | Yes (default) | Yes | No (setting cannot be changed) |
|
||||
|
||||
[Learn more about policy settings for Windows Spotlight.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)
|
||||
[Learn more about policy settings for Windows Spotlight.](windows-spotlight.md)
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -6,5 +6,6 @@
|
||||
## [Client management](/windows/client-management)
|
||||
## [Application management](/windows/application-management)
|
||||
## [Security](/windows/security)
|
||||
## [Privacy](/windows/privacy)
|
||||
## [Troubleshooting](/windows/client-management/windows-10-support-solutions)
|
||||
## [Other Windows client versions](https://docs.microsoft.com/previous-versions/windows)
|
||||
@ -1 +1,15 @@
|
||||
# [Index](index.md)
|
||||
# [Privacy](index.yml)
|
||||
## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)
|
||||
## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
|
||||
## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
|
||||
## Basic level diagnostics events and fields
|
||||
### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
|
||||
### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
|
||||
### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
|
||||
## Enhanced level diagnostics events and fields
|
||||
### [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
|
||||
## Full level diagnostics events and fields
|
||||
### [Windows 10, version 1709 and later diagnostic data for the Full level](windows-diagnostic-data.md)
|
||||
### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md)
|
||||
## [Manage Windows 10 connection endpoints](manage-windows-endpoints.md)
|
||||
## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
|
||||
|
||||
@ -33,7 +33,7 @@ You can learn more about Windows functional and diagnostic data through these ar
|
||||
- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
|
||||
- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
|
||||
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
|
||||
- [Manage Windows 10 connection endpoints](manage-windows-endpoints-version-1709.md)
|
||||
- [Manage Windows 10 connection endpoints](manage-windows-endpoints.md)
|
||||
- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
|
||||
|
||||
|
||||
BIN
windows/privacy/images/checkmark.png
Normal file
BIN
windows/privacy/images/checkmark.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 20 KiB |
|
Before Width: | Height: | Size: 12 KiB After Width: | Height: | Size: 12 KiB |
|
Before Width: | Height: | Size: 2.0 KiB After Width: | Height: | Size: 2.0 KiB |
|
Before Width: | Height: | Size: 1.3 KiB After Width: | Height: | Size: 1.3 KiB |
|
Before Width: | Height: | Size: 176 KiB After Width: | Height: | Size: 176 KiB |
|
Before Width: | Height: | Size: 17 KiB After Width: | Height: | Size: 17 KiB |
|
Before Width: | Height: | Size: 16 KiB After Width: | Height: | Size: 16 KiB |
|
Before Width: | Height: | Size: 36 KiB After Width: | Height: | Size: 36 KiB |
|
Before Width: | Height: | Size: 25 KiB After Width: | Height: | Size: 25 KiB |
|
Before Width: | Height: | Size: 11 KiB After Width: | Height: | Size: 11 KiB |
|
Before Width: | Height: | Size: 529 KiB After Width: | Height: | Size: 529 KiB |
|
Before Width: | Height: | Size: 123 KiB After Width: | Height: | Size: 123 KiB |
|
Before Width: | Height: | Size: 220 KiB After Width: | Height: | Size: 220 KiB |
|
Before Width: | Height: | Size: 162 KiB After Width: | Height: | Size: 162 KiB |
|
Before Width: | Height: | Size: 26 KiB After Width: | Height: | Size: 26 KiB |
|
Before Width: | Height: | Size: 77 KiB After Width: | Height: | Size: 77 KiB |
@ -1 +0,0 @@
|
||||
# Welcome to privacy!
|
||||
148
windows/privacy/index.yml
Normal file
148
windows/privacy/index.yml
Normal file
@ -0,0 +1,148 @@
|
||||
### YamlMime:YamlDocument
|
||||
|
||||
documentType: LandingData
|
||||
|
||||
title: Windows Privacy
|
||||
|
||||
metadata:
|
||||
|
||||
document_id:
|
||||
|
||||
title: Windows Privacy
|
||||
|
||||
description: Learn about how privacy is managed in Windows.
|
||||
|
||||
keywords: Windows 10, Windows Server, Windows Server 2016, privacy, GDPR, compliance, endpoints
|
||||
|
||||
ms.localizationpriority: high
|
||||
|
||||
author: danihalfin
|
||||
|
||||
ms.author: daniha
|
||||
|
||||
ms.date: 04/25/2018
|
||||
|
||||
ms.topic: article
|
||||
|
||||
ms.devlang: na
|
||||
|
||||
sections:
|
||||
|
||||
- items:
|
||||
|
||||
- type: markdown
|
||||
|
||||
text: Get ready for General Data Protection Regulation (GDPR) by viewing and configuring diagnostics data in your organization.
|
||||
|
||||
- items:
|
||||
|
||||
- type: list
|
||||
|
||||
style: cards
|
||||
|
||||
className: cardsM
|
||||
|
||||
columns: 3
|
||||
|
||||
items:
|
||||
|
||||
- href: \windows\privacy\gdpr-win10-whitepaper
|
||||
|
||||
html: <p>Learn about GDPR and how Microsoft helps you get started towards compliance</p>
|
||||
|
||||
image:
|
||||
|
||||
src: https://docs.microsoft.com/media/common/i_advanced.svg
|
||||
|
||||
title: Begin your GDPR journey
|
||||
|
||||
- href: \windows\privacy\configure-windows-diagnostic-data-in-your-organization
|
||||
|
||||
html: <p>Make informed decisions about how you can configure diagnostic data in your organization</p>
|
||||
|
||||
image:
|
||||
|
||||
src: https://docs.microsoft.com/media/common/i_filter.svg
|
||||
|
||||
title: Configure Windows diagnostic data
|
||||
|
||||
- href: \windows\privacy\diagnostic-data-viewer-overview
|
||||
|
||||
html: <p>Review the diagnostic data sent to Microsoft by device in your organization</p>
|
||||
|
||||
image:
|
||||
|
||||
src: https://docs.microsoft.com/media/common/i_investigate.svg
|
||||
|
||||
title: View diagnostic data
|
||||
|
||||
- title: Understand Diagnostic Data in Windows 10
|
||||
|
||||
items:
|
||||
|
||||
- type: paragraph
|
||||
|
||||
text: 'For the latest Windows 10 version, Learn more about what Windows Diagnostic Data is gathered at various diagnostics levels.'
|
||||
|
||||
- type: list
|
||||
|
||||
style: cards
|
||||
|
||||
className: cardsM
|
||||
|
||||
columns: 3
|
||||
|
||||
items:
|
||||
|
||||
- href: \windows\privacy\basic-level-windows-diagnostic-events-and-fields
|
||||
|
||||
html: <p>Learn more about basic diagnostics events and fields collected</p>
|
||||
|
||||
image:
|
||||
|
||||
src: https://docs.microsoft.com/media/common/i_extend.svg
|
||||
|
||||
title: Basic level events and fields
|
||||
|
||||
- href: \windows\privacy\enhanced-diagnostic-data-windows-analytics-events-and-fields
|
||||
|
||||
html: <p>Learn more about diagnostics events and fields used by Windows Analytics</p>
|
||||
|
||||
image:
|
||||
|
||||
src: https://docs.microsoft.com/media/common/i_delivery.svg
|
||||
|
||||
title: Enhanced level events and fields
|
||||
|
||||
- href: \windows\privacy\windows-diagnostic-data
|
||||
|
||||
html: <p>Learn more about all diagnostics data collected</p>
|
||||
|
||||
image:
|
||||
|
||||
src: https://docs.microsoft.com/media/common/i_get-started.svg
|
||||
|
||||
title: Full level events and fields
|
||||
|
||||
- items:
|
||||
|
||||
- type: list
|
||||
|
||||
style: cards
|
||||
|
||||
className: cardsL
|
||||
|
||||
items:
|
||||
|
||||
- title: View and manage Windows 10 connection endpoints
|
||||
|
||||
html: <p><a class="barLink" href="/windows/privacy/manage-windows-endpoints-version-1709">Manage Windows 10 connection endpoints</a></p>
|
||||
|
||||
<p><a class="barLink" href="/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services">Manage connections from Windows to Microsoft services</a></p>
|
||||
|
||||
- title: Additional resources
|
||||
|
||||
html: <p><a class="barLink" href="https://www.microsoft.com/en-us/trustcenter/cloudservices/windows10">Windows 10 on Trust Center</a></p>
|
||||
|
||||
<p><a class="barLink" href="https://docs.microsoft.com/en-us/microsoft-365/compliance/gdpr">GDPR on Microsoft365 Compliance solutions</a></p>
|
||||
|
||||
@ -1847,7 +1847,7 @@ If you're not running Windows 10, version 1607 or later, you can use the other o
|
||||
|
||||
- Create a new REG\_DWORD registry setting named **DisableWindowsConsumerFeatures** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one).
|
||||
|
||||
For more info, see [Windows Spotlight on the lock screen](windows-spotlight.md).
|
||||
For more info, see [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight).
|
||||
|
||||
### <a href="" id="bkmk-windowsstore"></a>26. Microsoft Store
|
||||
|
||||
@ -14,7 +14,7 @@ ms.date: 11/21/2017
|
||||
|
||||
**Applies to**
|
||||
|
||||
- Windows 10, version 1709
|
||||
- Windows 10, version 1709 and later
|
||||
|
||||
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
|
||||
|
||||
@ -24,13 +24,13 @@ Some Windows components, app, and related services transfer data to Microsoft ne
|
||||
- Connecting to the cloud to store and access backups.
|
||||
- Using your location to show a weather forecast.
|
||||
|
||||
This article lists different endpoints that are available on a clean installation of Windows 10 Enterprise, version 1709.
|
||||
This article lists different endpoints that are available on a clean installation of Windows 10 Enterprise, version 1709 and later.
|
||||
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
|
||||
Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it.
|
||||
|
||||
We used the following methodology to derive these network endpoints:
|
||||
|
||||
1. Set up Windows 10 Enterprise, version 1709 test virtual machine using the default settings.
|
||||
1. Set up the latest version of Windows 10 Enterprise test virtual machine using the default settings.
|
||||
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
|
||||
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
|
||||
4. Compile reports on traffic going to public IP addresses.
|
||||
@ -44,249 +44,252 @@ We used the following methodology to derive these network endpoints:
|
||||
The following endpoint is used to download updates to the Weather app Live Tile.
|
||||
If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| explorer | HTTP | tile-service.weather.microsoft.com/en-US/livetile/preinstall?region=US&appid=C98EA5B0842DBB9405BBF071E1DA76512D21FE36&FORM=Threshold |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| explorer | HTTP | tile-service.weather.microsoft.com | 1709 |
|
||||
| | HTTP | blob.weather.microsoft.com | 1803 |
|
||||
|
||||
The following endpoint is used for OneNote Live Tile.
|
||||
To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
|
||||
If you disable the Microsoft store, other Store apps cannot be installed or updated.
|
||||
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | HTTPS | cdn.onenote.net/livetile/?Language=en-US |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | 1709 |
|
||||
|
||||
The following endpoints are used for Twitter updates.
|
||||
To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
|
||||
If you disable the Microsoft store, other Store apps cannot be installed or updated.
|
||||
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | HTTPS | wildcard.twimg.com |
|
||||
| svchost.exe | | oem.twimg.com/windows/tile.xml |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | HTTPS | wildcard.twimg.com | 1709 |
|
||||
| svchost.exe | | oem.twimg.com/windows/tile.xml | 1709 |
|
||||
|
||||
The following endpoint is used for Facebook updates.
|
||||
To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
|
||||
If you disable the Microsoft store, other Store apps cannot be installed or updated.
|
||||
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | | star-mini.c10r.facebook.com |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | | star-mini.c10r.facebook.com | 1709 |
|
||||
|
||||
The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online.
|
||||
To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
|
||||
If you disable the Microsoft store, other Store apps cannot be installed or updated.
|
||||
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | 1709 |
|
||||
|
||||
The following endpoint is used for Candy Crush Saga updates.
|
||||
To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
|
||||
If you disable the Microsoft store, other Store apps cannot be installed or updated.
|
||||
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | TLS v1.2 | candycrushsoda.king.com |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | TLS v1.2 | candycrushsoda.king.com | 1709 |
|
||||
|
||||
The following endpoint is used for by the Microsoft Wallet app.
|
||||
To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
|
||||
If you disable the Microsoft store, other Store apps cannot be installed or updated.
|
||||
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | 1709 |
|
||||
|
||||
The following endpoint is used by the Groove Music app for update HTTP handler status.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | 1709 |
|
||||
|
||||
## Cortana and Search
|
||||
|
||||
The following endpoint is used to get images that are used for Microsoft Store suggestions.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| searchui | HTTPS | store-images.s-microsoft.com/image/apps.32524.9007199266244048.fc51fce8-175a-4525-b569-14d91f7779c3.0a720951-38e4-4e81-9804-03f833ab1d2e?format=source |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| searchui | HTTPS |store-images.s-microsoft.com | 1709 |
|
||||
|
||||
The following endpoint is used to update Cortana greetings, tips, and Live Tiles.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| backgroundtaskhost | HTTPS | www.bing.com/client/config?cc=US&setlang=en-US |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| backgroundtaskhost | HTTPS | www.bing.com/client | 1709 |
|
||||
|
||||
The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| backgroundtaskhost | HTTPS | www.bing.com/proactive/v2/spark?cc=US&setlang=en-US |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| backgroundtaskhost | HTTPS | www.bing.com/proactive | 1709 |
|
||||
|
||||
The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| searchui <br> backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| searchui <br> backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | 1709 |
|
||||
|
||||
## Certificates
|
||||
|
||||
The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| svchost | HTTP | ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1ba0e83cae791f0d |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| svchost | HTTP | ctldl.windowsupdate.com | 1709 |
|
||||
|
||||
The following endpoints are used to download certificates that are publicly known to be fraudulent.
|
||||
These settings are critical for both Windows security and the overall security of the Internet.
|
||||
We do not recommend blocking this endpoint.
|
||||
If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| svchost | HTTP | ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?03376e5589b4a188 |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| svchost | HTTP | ctldl.windowsupdate.com | 1709 |
|
||||
|
||||
## Device authentication
|
||||
|
||||
The following endpoint is used to authenticate a device.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | HTTPS | login.live.com/ppsecure/deviceaddcredential.srf |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | HTTPS | login.live.com/ppsecure | 1709 |
|
||||
|
||||
## Device metadata
|
||||
|
||||
The following endpoint is used to retrieve device metadata.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | | dmd.metaservices.microsoft.com.akadns.net |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | | dmd.metaservices.microsoft.com.akadns.net | 1709 |
|
||||
| | HTTP | dmd.metaservices.microsoft.com | 1803 |
|
||||
|
||||
## Diagnostic Data
|
||||
|
||||
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| svchost | | cy2.vortex.data.microsoft.com.akadns.net |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| svchost | | cy2.vortex.data.microsoft.com.akadns.net | 1709 |
|
||||
|
||||
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | 1709 |
|
||||
|
||||
The following endpoints are used by Windows Error Reporting.
|
||||
To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| wermgr | | watson.telemetry.microsoft.com/Telemetry.Request |
|
||||
| |TLS v1.2 |modern.watson.data.microsoft.com.akadns.net|
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| wermgr | | watson.telemetry.microsoft.com | 1709 |
|
||||
| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | 1709 |
|
||||
|
||||
## Font streaming
|
||||
|
||||
The following endpoints are used to download fonts on demand.
|
||||
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| svchost | | fs.microsoft.com |
|
||||
| | | fs.microsoft.com/fs/windows/config.json |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| svchost | | fs.microsoft.com | 1709 |
|
||||
| | | fs.microsoft.com/fs/windows/config.json | 1709 |
|
||||
|
||||
## Licensing
|
||||
|
||||
The following endpoint is used for online activation and some app licensing.
|
||||
To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | 1709 |
|
||||
|
||||
## Location
|
||||
|
||||
The following endpoint is used for location data.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | HTTP | location-inference-westus.cloudapp.net |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | HTTP | location-inference-westus.cloudapp.net | 1709 |
|
||||
|
||||
## Maps
|
||||
|
||||
The following endpoint is used to check for updates to maps that have been downloaded for offline use.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| svchost | HTTPS | *g.akamaiedge.net |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| svchost | HTTPS | *g.akamaiedge.net | 1709 |
|
||||
|
||||
## Microsoft account
|
||||
|
||||
The following endpoints are used for Microsoft accounts to sign in.
|
||||
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | | login.msa.akadns6.net |
|
||||
| system32\Auth.Host.exe | HTTPS | auth.gfx.ms |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | | login.msa.akadns6.net | 1709 |
|
||||
| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | 1709 |
|
||||
|
||||
## Microsoft Store
|
||||
|
||||
The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | | *.wns.windows.com |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | | *.wns.windows.com | 1709 |
|
||||
|
||||
The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.
|
||||
To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | HTTP | storecatalogrevocation.storequality.microsoft.com/applications/revoked.json/ |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | HTTP | storecatalogrevocation.storequality.microsoft.com | 1709 |
|
||||
|
||||
The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
|
||||
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1ARmA?ver=e6f4 |
|
||||
| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWbW71?ver=c090 |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | 1709 |
|
||||
| backgroundtransferhost | HTTPS | store-images.microsoft.com | 1803 |
|
||||
|
||||
The following endpoints are used to communicate with Microsoft Store.
|
||||
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | HTTP | storeedgefd.dsx.mp.microsoft.com |
|
||||
| | HTTP | pti.store.microsoft.com |
|
||||
||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.|
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | HTTP | storeedgefd.dsx.mp.microsoft.com | 1709 |
|
||||
| | HTTP | pti.store.microsoft.com | 1709 |
|
||||
||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| 1709 |
|
||||
| svchost | HTTPS | displaycatalog.mp.microsoft.com | 1803 |
|
||||
|
||||
## Network Connection Status Indicator (NCSI)
|
||||
|
||||
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | HTTP | www.msftconnecttest.com/connecttest.txt |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | HTTP | www.msftconnecttest.com/connecttest.txt | 1709 |
|
||||
|
||||
## Office
|
||||
|
||||
@ -294,89 +297,74 @@ The following endpoints are used to connect to the Office 365 portal's shared in
|
||||
You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
|
||||
If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | | *.a-msedge.net |
|
||||
| hxstr | | *.c-msedge.net |
|
||||
| | | *.e-msedge.net |
|
||||
| | | *.s-msedge.net |
|
||||
|
||||
The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
|
||||
You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
|
||||
If you turn off traffic for this endpoint, users won't be able to save documents to the cloud or see their recently used documents.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| hxstr | | *.c-msedge.net |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | | *.a-msedge.net | 1709 |
|
||||
| hxstr | | *.c-msedge.net | 1709 |
|
||||
| | | *.e-msedge.net | 1709 |
|
||||
| | | *.s-msedge.net | 1709 |
|
||||
| | HTTPS | ocos-office365-s2s.msedge.net | 1803 |
|
||||
|
||||
The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
|
||||
You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
|
||||
If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| system32\Auth.Host.exe | HTTPS | outlook.office365.com | 1709 |
|
||||
|
||||
The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net|
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| 1709 |
|
||||
|
||||
## OneDrive
|
||||
|
||||
The following endpoint is a redirection service that’s used to automatically update URLs.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| onedrive | HTTP | g.live.com/1rewlive5skydrive/ODSUProduction |
|
||||
|
||||
|
||||
The following endpoint is a redirection service that’s used to automatically update URLs.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| onedrive | HTTPS | g.live.com/1rewlive5skydrive/OneDriveProduction?OneDriveUpdate=1303f1898483a527eab1d8f57af6 |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | 1709 |
|
||||
|
||||
The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
|
||||
To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| onedrive | HTTPS | oneclient.sfx.ms/PreSignInSettings/Prod/PreSignInSettingsConfig.json?OneDriveUpdate=3253474af747a19de2a72deb9a75 |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| onedrive | HTTPS | oneclient.sfx.ms | 1709 |
|
||||
|
||||
## Settings
|
||||
|
||||
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| dmclient | | cy2.settings.data.microsoft.com.akadns.net |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| dmclient | | cy2.settings.data.microsoft.com.akadns.net | 1709 |
|
||||
|
||||
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| dmclient | HTTPS | settings.data.microsoft.com |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| dmclient | HTTPS | settings.data.microsoft.com | 1709 |
|
||||
|
||||
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| svchost | HTTPS | settings-win.data.microsoft.com |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| svchost | HTTPS | settings-win.data.microsoft.com | 1709 |
|
||||
|
||||
## Skype
|
||||
|
||||
The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | 1709 |
|
||||
|
||||
|
||||
|
||||
@ -385,112 +373,102 @@ The following endpoint is used to retrieve Skype configuration values. To turn o
|
||||
The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | | wdcp.microsoft.com |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | | wdcp.microsoft.com | 1709 |
|
||||
|
||||
The following endpoints are used for Windows Defender definition updates.
|
||||
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | | definitionupdates.microsoft.com |
|
||||
|MpCmdRun.exe|HTTPS|go.microsoft.com|
|
||||
|
||||
## Windows Insider Preview builds
|
||||
|
||||
The following endpoint is used to retrieve Windows Insider Preview builds.
|
||||
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-previewbuilds), the device will not be notified about new Windows Insider Preview builds.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | HTTPS | insiderppe.cloudapp.net/windows-app-web-link |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | | definitionupdates.microsoft.com | 1709 |
|
||||
|MpCmdRun.exe|HTTPS|go.microsoft.com | 1709 |
|
||||
|
||||
## Windows Spotlight
|
||||
|
||||
The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.
|
||||
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](windows-spotlight.md).
|
||||
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight).
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| backgroundtaskhost | HTTPS | arc.msn.com |
|
||||
| backgroundtaskhost | | g.msn.com.nsatc.net |
|
||||
| |TLS v1.2| *.search.msn.com |
|
||||
| | HTTPS | ris.api.iris.microsoft.com/v1/a/impression?CID=116000000000270658®ion=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=ENTERPRISE&cmdVer=10.0.15063.0&mo=&cap=&EID=&&PID=400051553&UIT=G&TargetID=700090861&AN=275357688&PG=PC000P0FR5.0000000G4I&REQASID=D17E3C737583496F8C4CE6553F7395C5&UNID=202914&ANID=&MUID=&ASID=a81b259b93e2425e801d0bb5a5ec2741&PERSID=&AUID=71FA96C64367722E210169966CE8D919&TIME=20170721T015831Z |
|
||||
| | HTTPS | query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWaHxi |
|
||||
| | HTTPS | query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWaML4 |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| backgroundtaskhost | HTTPS | arc.msn.com | 1709 |
|
||||
| backgroundtaskhost | | g.msn.com.nsatc.net | 1709 |
|
||||
| |TLS v1.2| *.search.msn.com | 1709 |
|
||||
| | HTTPS | ris.api.iris.microsoft.com | 1709 |
|
||||
| | HTTPS | query.prod.cms.rt.microsoft.com | 1709 |
|
||||
|
||||
## Windows Update
|
||||
|
||||
The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | 1709 |
|
||||
|
||||
The following endpoints are used to download operating system patches and updates.
|
||||
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| svchost | | au.download.windowsupdate.com |
|
||||
| svchost | HTTP | *.windowsupdate.com |
|
||||
| | HTTP | fg.download.windowsupdate.com.c.footprint.net |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| svchost | HTTP | *.windowsupdate.com | 1709 |
|
||||
| | HTTP | fg.download.windowsupdate.com.c.footprint.net | 1709 |
|
||||
|
||||
The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | | cds.d2s7q6s2.hwcdn.net |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | | cds.d2s7q6s2.hwcdn.net | 1709 |
|
||||
|
||||
The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates.
|
||||
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | HTTP | *wac.phicdn.net |
|
||||
| | | *wac.edgecastcdn.net |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | HTTP | *wac.phicdn.net | 1709 |
|
||||
| | | *wac.edgecastcdn.net | 1709 |
|
||||
|
||||
The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired).
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | 1709 |
|
||||
|
||||
The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| svchost | | emdl.ws.microsoft.com/emdl/c/doc/ph/prod1/msdownload/update/software/defu/2017/07/1024/am_base_82267ed19fb382d07106d5f64257fb815c664b31.exe.json |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| svchost | | emdl.ws.microsoft.com | 1709 |
|
||||
|
||||
The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
|
||||
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| svchost | HTTPS | fe2.update.microsoft.com/v6/ClientWebService/client.asmx |
|
||||
| svchost | | fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx |
|
||||
| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net (an alias for fe3.delivery.mp.microsoft.com) |
|
||||
| svchost | HTTPS | sls.update.microsoft.com |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| svchost | HTTPS | fe2.update.microsoft.com | 1709 |
|
||||
| svchost | | fe3.delivery.mp.microsoft.com | 1709 |
|
||||
| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | 1709 |
|
||||
| svchost | HTTPS | sls.update.microsoft.com | 1709 |
|
||||
| | HTTP | *.dl.delivery.mp.microsoft.com | 1803 |
|
||||
|
||||
The following endpoint is used for content regulation.
|
||||
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | 1709 |
|
||||
|
||||
The following endpoints are used to download content.
|
||||
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
| | | a122.dscd.akamai.net |
|
||||
| | | a1621.g.akamai.net |
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
| | | a122.dscd.akamai.net | 1709 |
|
||||
| | | a1621.g.akamai.net | 1709 |
|
||||
|
||||
## Microsoft forward link redirection service (FWLink)
|
||||
|
||||
@ -498,9 +476,9 @@ The following endpoint is used by the Microsoft forward link redirection service
|
||||
|
||||
If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.
|
||||
|
||||
| Source process | Protocol | Destination |
|
||||
|----------------|----------|------------|
|
||||
|Various|HTTPS|go.microsoft.com|
|
||||
| Source process | Protocol | Destination | Applies from Windows 10 version |
|
||||
|----------------|----------|------------|----------------------------------|
|
||||
|Various|HTTPS|go.microsoft.com| 1709 |
|
||||
|
||||
## Endpoints for other Windows editions
|
||||
|
||||
@ -10,7 +10,7 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: high
|
||||
ms.date: 04/24/2018
|
||||
ms.date: 05/08/2018
|
||||
---
|
||||
|
||||
# Configure advanced features in Windows Defender ATP
|
||||
@ -87,6 +87,11 @@ When you enable this feature, you'll be able to share Windows Defender ATP devic
|
||||
>You'll need to enable the integration on both Intune and Windows Defender ATP to use this feature.
|
||||
|
||||
|
||||
## Preview features
|
||||
Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
|
||||
|
||||
You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
|
||||
|
||||
## Enable advanced features
|
||||
1. In the navigation pane, select **Preferences setup** > **Advanced features**.
|
||||
2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
|
||||
|
||||
@ -10,7 +10,7 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: high
|
||||
ms.date: 05/03/2018
|
||||
ms.date: 05/08/2018
|
||||
---
|
||||
|
||||
# Use Automated investigations to investigate and remediate threats
|
||||
@ -65,15 +65,24 @@ While an investigation is running, any other alert generated from the machine wi
|
||||
If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to include that machine and a generic machine playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
|
||||
|
||||
### How threats are remediated
|
||||
Depending on how you set up the machine groups and their level of automation, the Automated investigation will either automatically remediate threats or require user approval (this is the default). For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
|
||||
Depending on how you set up the machine groups and their level of automation, the Automated investigation will either require user approval (default) or automatically remediate threats.
|
||||
|
||||
You can configure the following levels of automation:
|
||||
|
||||
Automation level | Description
|
||||
:---|:---
|
||||
Semi - require approval for any remediation | This is the default automation level.<br><br> An approval is needed for any remediation action.
|
||||
Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders. <br><br> Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.
|
||||
Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. <br><br> Files or executables in all other folders will automatically be remediated if needed.
|
||||
Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. <br><br> Files or executables in all other folders will automatically be remediated if needed.
|
||||
Full - remediate threats automatically | All remediation actions will be performed automatically.
|
||||
|
||||
For more information on how to configure these automation levels, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
The default machine group is configured for semi-automatic remediation. This means that any malicious entity that needs to be remediated requires an approval and the investigation is added to the **Pending actions** section, this can be changed to fully automatic so that no user approval is needed.
|
||||
|
||||
When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.
|
||||
|
||||
### How an Automated investigation is completed
|
||||
When the Automated investigation completes its analysis, and all pending actions are resolved, an investigation is considered complete. It's important to understand that an investigation is only considered complete if there are no pending actions on it.
|
||||
|
||||
|
||||
## Manage Automated investigations
|
||||
By default, the Automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
|
||||
@ -103,19 +112,15 @@ Status | Description
|
||||
| No threats found | No malicious entities found during the investigation.
|
||||
| Failed | A problem has interrupted the investigation, preventing it from completing. |
|
||||
| Partially remediated | A problem prevented the remediation of some malicious entities. |
|
||||
| Action required | Remediation actions require review and approval. |
|
||||
| Pending | Remediation actions require review and approval. |
|
||||
| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
|
||||
| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. |
|
||||
| Running | Investigation ongoing. Malicious entities found will be remediated. |
|
||||
| Remediated | Malicious entities found were successfully remediated. |
|
||||
| Terminated by system | Investigation was stopped due to <reason>. |
|
||||
| Terminated by user | A user stopped the investigation before it could complete. |
|
||||
| Not applicable | Automated investigations do not apply to this alert type. |
|
||||
| Terminated by user | A user stopped the investigation before it could complete.
|
||||
| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
|
||||
| Automated investigation not applicable to alert type | Automated investigation does not apply to this alert type. |
|
||||
| Automated investigation does not support OS | Machine is running an OS that is not supported by Automated investigation. |
|
||||
| Automated investigation unavailable for preexisting alert | Automated investigation does not apply to alerts that were generated before it was deployed. |
|
||||
| Automated investigation unavailable for suppressed alert | Automated investigation does not apply to suppressed alerts. |
|
||||
|
||||
|
||||
|
||||
**Detection source**</br>
|
||||
|
||||
@ -102,7 +102,7 @@ Take the following steps to enable conditional access:
|
||||
|
||||
|
||||
### Step 1: Turn on the Microsoft Intune connection
|
||||
1. In the navigation pane, select **Settings** > **General** > **Advanced features** > **Microsoft Intune connection**.
|
||||
1. In the navigation pane, select **Settings** > **Advanced features** > **Microsoft Intune connection**.
|
||||
2. Toggle the Microsoft Intune setting to **On**.
|
||||
3. Click **Save preferences**.
|
||||
|
||||
|
||||
@ -30,26 +30,29 @@ ms.date: 05/01/2018
|
||||
You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
|
||||
|
||||
> [!NOTE]
|
||||
> Only users with full access can configure email notifications.
|
||||
> Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications.
|
||||
|
||||
You can set the alert severity levels that trigger notifications. When you turn enable the email notifications feature, it’s set to high and medium alerts by default.
|
||||
You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
|
||||
If you're using role-based access control (RBAC), recipients will only receive notifications based on the machine groups that were configured in the notification rule.
|
||||
Users with the proper permission can only create, edit, or delete notifications that are limited to their machine group management scope.
|
||||
Only users assigned to the Global administrator role can manage notification rules that are configured for all machine groups.
|
||||
|
||||
The email notification includes basic information about the alert and a link to the portal where you can do further investigation.
|
||||
|
||||
|
||||
## Set up email notifications for alerts
|
||||
The email notifications feature is turned off by default. Turn it on to start receiving email notifications.
|
||||
|
||||
1. On the navigation pane, select **Settings** > **Alert notifications**.
|
||||
2. Toggle the setting between **On** and **Off**.
|
||||
3. Select the alert severity level that you’d like your recipients to receive:
|
||||
- **High** – Select this level to send notifications for high-severity alerts.
|
||||
- **Medium** – Select this level to send notifications for medium-severity alerts.
|
||||
3. Select the alert severity level that you’d like your recipients to receive:
|
||||
- **High** – Select this level to send notifications for high-severity alerts.
|
||||
- **Medium** – Select this level to send notifications for medium-severity alerts.
|
||||
- **Low** - Select this level to send notifications for low-severity alerts.
|
||||
- **Informational** - Select this level to send notification for alerts that might not be considered harmful but good to keep track of.
|
||||
4. In **Email recipients to notify on new alerts**, type the email address then select the + sign.
|
||||
5. Click **Save preferences** when you’ve completed adding all the recipients.
|
||||
5. Click **Save preferences** when you’ve completed adding all the recipients.
|
||||
|
||||
Check that email recipients are able to receive the email notifications by selecting **Send test email**. All recipients in the list will receive the test email.
|
||||
|
||||
@ -59,10 +62,9 @@ Here's an example email notification:
|
||||
|
||||
## Remove email recipients
|
||||
|
||||
1. Select the trash bin icon beside the email address you’d like to remove.
|
||||
1. Select the trash bin icon beside the email address you’d like to remove.
|
||||
2. Click **Save preferences**.
|
||||
|
||||
|
||||
## Troubleshoot email notifications for alerts
|
||||
This section lists various issues that you may encounter when using email notifications for alerts.
|
||||
|
||||
|
||||
@ -36,7 +36,7 @@ ms.date: 04/24/2018
|
||||
## Onboard machines using Group Policy
|
||||
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
|
||||
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
|
||||
a. In the navigation pane, select **Settings** > **Onboarding**.
|
||||
|
||||
b. Select Windows 10 as the operating system.
|
||||
|
||||
@ -122,7 +122,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
|
||||
|
||||
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
|
||||
a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
|
||||
a. In the navigation pane, select **Settings** > **Offboarding**.
|
||||
|
||||
b. Select Windows 10 as the operating system.
|
||||
|
||||
|
||||
@ -106,7 +106,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
|
||||
|
||||
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
|
||||
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
|
||||
a. In the navigation pane, select **Settings** > **Onboarding**.
|
||||
|
||||
b. Select Windows 10 as the operating system.
|
||||
|
||||
@ -189,7 +189,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
|
||||
|
||||
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
|
||||
a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
|
||||
a. In the navigation pane, select **Settings** > **Offboarding**.
|
||||
|
||||
b. Select Windows 10 as the operating system.
|
||||
|
||||
|
||||
@ -34,7 +34,7 @@ You'll need to take the following steps to onboard non-Windows machines:
|
||||
|
||||
### Turn on third-party integration
|
||||
|
||||
1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. Make sure the third-party solution is listed.
|
||||
1. In the navigation pane, select **Settings** > **Onboarding**. Make sure the third-party solution is listed.
|
||||
|
||||
2. Select Mac and Linux as the operating system.
|
||||
|
||||
@ -59,7 +59,7 @@ To effectively offboard the machine from the service, you'll need to disable the
|
||||
|
||||
1. Follow the third-party documentation to opt-out on the third-party service side.
|
||||
|
||||
2. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
|
||||
2. In the navigation pane, select **Settings** > **Onboarding**.
|
||||
|
||||
3. Turn off the third-party solution integration.
|
||||
|
||||
|
||||
@ -49,7 +49,7 @@ You can use existing System Center Configuration Manager functionality to create
|
||||
|
||||
1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
|
||||
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
|
||||
a. In the navigation pane, select **Settings** > **Onboarding**.
|
||||
|
||||
b. Select Windows 10 as the operating system.
|
||||
|
||||
@ -127,7 +127,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
|
||||
|
||||
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
|
||||
a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
|
||||
a. In the navigation pane, select **Settings** > **Offboarding**.
|
||||
|
||||
b. Select Windows 10 as the operating system.
|
||||
|
||||
|
||||
@ -36,7 +36,7 @@ You can also manually onboard individual machines to Windows Defender ATP. You m
|
||||
## Onboard machines
|
||||
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
|
||||
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
|
||||
a. In the navigation pane, select **Settings** > **Onboarding**.
|
||||
|
||||
b. Select Windows 10 as the operating system.
|
||||
|
||||
@ -94,7 +94,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
|
||||
|
||||
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
|
||||
a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
|
||||
a. In the navigation pane, select **Settings** > **Offboarding**.
|
||||
|
||||
b. Select Windows 10 as the operating system.
|
||||
|
||||
|
||||
@ -40,7 +40,7 @@ You can onboard VDI machines using a single entry or multiple entries for each m
|
||||
|
||||
1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
|
||||
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
|
||||
a. In the navigation pane, select **Settings** > **Onboarding**.
|
||||
|
||||
b. Select Windows 10 as the operating system.
|
||||
|
||||
|
||||
@ -115,7 +115,9 @@ You’ll be able to onboard in the same method available for Windows 10 client m
|
||||
If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
|
||||
|
||||
## Offboard servers
|
||||
You have two options to offboard servers from the service:
|
||||
You can offboard Windows Server, version 1803 in the same method available for Windows 10 client machines.
|
||||
|
||||
For other server versions, you have two options to offboard servers from the service:
|
||||
- Uninstall the MMA agent
|
||||
- Remove the Windows Defender ATP workspace configuration
|
||||
|
||||
@ -143,7 +145,7 @@ To offboard the server, you can use either of the following methods:
|
||||
#### Run a PowerShell command to remove the configuration
|
||||
|
||||
1. Get your Workspace ID:
|
||||
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
|
||||
a. In the navigation pane, select **Settings** > **Onboarding**.
|
||||
|
||||
b. Select **Windows server 2012, 2012R2 and 2016** as the operating system and get your Workspace ID:
|
||||
|
||||
|
||||
@ -28,7 +28,7 @@ ms.date: 04/24/2018
|
||||
|
||||
During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update the data retention settings.
|
||||
|
||||
1. In the navigation pane, select **Settings** > **General** > **Data rention**.
|
||||
1. In the navigation pane, select **Settings** > **Data rention**.
|
||||
|
||||
2. Select the data retention duration from the drop-down list.
|
||||
|
||||
|
||||
@ -29,7 +29,7 @@ ms.date: 04/24/2018
|
||||
|
||||
Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal.
|
||||
|
||||
1. In the navigation pane, select **Settings** > **APIs** > **Threat intel**.
|
||||
1. In the navigation pane, select **Settings** > **Threat intel**.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -30,7 +30,7 @@ Set the baselines for calculating the score of Windows Defender security control
|
||||
>[!NOTE]
|
||||
>Changes might take up to a few hours to reflect on the dashboard.
|
||||
|
||||
1. In the navigation pane, select **Settings** > **General** > **Secure Score**.
|
||||
1. In the navigation pane, select **Settings** > **Secure Score**.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -29,7 +29,7 @@ ms.date: 04/24/2018
|
||||
|
||||
Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API.
|
||||
|
||||
1. In the navigation pane, select **Settings** > **APIs** > **SIEM**.
|
||||
1. In the navigation pane, select **Settings** > **SIEM**.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: high
|
||||
ms.date: 04/24/2018
|
||||
ms.date: 05/08/2018
|
||||
---
|
||||
|
||||
# Create and manage machine groups in Windows Defender ATP
|
||||
@ -33,61 +33,61 @@ In Windows Defender ATP, you can create machine groups and use them to:
|
||||
- Configure different auto-remediation settings for different sets of machines
|
||||
|
||||
As part of the process of creating a machine group, you'll:
|
||||
- Set the automated remediation level for that group
|
||||
- Define a matching rule based on the machine name, domain, tags, and OS platform to determine which machines belong to the group. If a machine is also matched to other groups, it is added only to the highest ranked machine group.
|
||||
- Determine access to machine group
|
||||
- Rank the machine group relative to other groups after it is created
|
||||
- Set the automated remediation level for that group. For more information on remediation levels, see [Use Automated investigation to investigate and remediate threats](automated-investigations-windows-defender-advanced-threat-protection.md).
|
||||
- Specify the matching rule that determines which machine group belongs to the group based on the machine name, domain, tags, and OS platform. If a machine is also matched to other groups, it is added only to the highest ranked machine group.
|
||||
- Select the Azure AD user group that should have access to the machine group.
|
||||
- Rank the machine group relative to other groups after it is created.
|
||||
|
||||
>[!NOTE]
|
||||
>All machine groups are accessible to all users if you don’t assign any Azure AD groups to them.
|
||||
>A machine group is accessible to all users if you don’t assign any Azure AD groups to it.
|
||||
|
||||
|
||||
## Add a machine group
|
||||
|
||||
1. In the navigation pane, select **Settings > Permissions > Machine groups**.
|
||||
1. In the navigation pane, select **Settings** > **Machine groups**.
|
||||
|
||||
2. Click **Add machine group**.
|
||||
|
||||
3. Set the machine group details, configure an association rule, preview the results, then assign the group to an Azure user group:
|
||||
3. Enter the group name and automation settings and specify the matching rule that determines which machines belong to the group.
|
||||
|
||||
- **Name**
|
||||
- **Machine group name**
|
||||
- **Automation level**
|
||||
- **Semi - require approval for any remediation**
|
||||
- **Semi - require approval for non-temp folders remediation**
|
||||
- **Semi - require approval for core folders remediation**
|
||||
- **Full - remediate threats automatically**
|
||||
|
||||
- **Remediation level for automated investigations**
|
||||
- **No remediation**
|
||||
- **Require approval (all folders)**
|
||||
- **Require approval (non-temp folders)**
|
||||
- **Require approval (core folders)**
|
||||
- **Fully automated**
|
||||
>[!NOTE]
|
||||
> For more information on automation levels, see [Understand the Automated investigation flow](automated-investigations-windows-defender-advanced-threat-protection.md#understand-the-automated-investigation-flow).
|
||||
|
||||
- **Description**
|
||||
- **Members**
|
||||
|
||||
- **Matching rule** – you can apply the rule based on machine name, domain, tag, or OS version.
|
||||
>[!TIP]
|
||||
>If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags).
|
||||
|
||||
>[!TIP]
|
||||
>If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags).
|
||||
|
||||
4. Review the result of the preview of matched machines. If you are satisfied with the rules, click the **Access** tab.
|
||||
4. Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the **Access** tab.
|
||||
|
||||
5. Assign the user groups that can access the machine group you created.
|
||||
|
||||
>[!NOTE]
|
||||
>You can only grant access to Azure AD user groups that have been assigned to RBAC roles.
|
||||
|
||||
6. Click **Close**.
|
||||
6. Click **Close**. The configuration changes are applied.
|
||||
|
||||
7. Apply the configuration settings.
|
||||
|
||||
## Understand matching and manage groups
|
||||
You can promote the rank of a machine group so that it is given higher priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups.
|
||||
## Manage machine groups
|
||||
You can promote or demote the rank of a machine group so that it is given higher or lower priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups.
|
||||
|
||||
>[!WARNING]
|
||||
>Deleting a machine group may affect email notification rules. If a machine group is configured under an email notification rule, it will be removed from that rule. If the machine group is the only group configured for an email notification, that email notification rule will be deleted along with the machine group.
|
||||
|
||||
By default, machine groups are accessible to all users with portal access. You can change the default behavior by assigning Azure AD user groups to the machine group.
|
||||
|
||||
Machines that are not matched to any groups are added to Ungrouped machines (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group.
|
||||
|
||||
>[!NOTE]
|
||||
>Applying changes to machine group configuration may take up to several minutes.
|
||||
|
||||
|
||||
> - Applying changes to machine group configuration may take up to several minutes.
|
||||
|
||||
|
||||
## Related topic
|
||||
|
||||
@ -110,7 +110,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
|
||||
|
||||
### View the list of suppression rules
|
||||
|
||||
1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**.
|
||||
1. In the navigation pane, select **Settings** > **Alert suppression**.
|
||||
|
||||
2. The list of suppression rules shows all the rules that users in your organization have created.
|
||||
|
||||
|
||||
@ -36,7 +36,7 @@ Entities added to the blocked list are considered malicious and will be remediat
|
||||
You can define the conditions for when entities are identified as malicious or safe based on certain attributes such as hash values or certificates.
|
||||
|
||||
## Create an allowed or blocked list
|
||||
1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**.
|
||||
1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.
|
||||
|
||||
2. Select the type of entity you'd like to create an exclusion for. You can choose any of the following entities:
|
||||
- File hash
|
||||
@ -52,14 +52,14 @@ You can define the conditions for when entities are identified as malicious or s
|
||||
5. Click **Update rule**.
|
||||
|
||||
## Edit a list
|
||||
1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**.
|
||||
1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.
|
||||
|
||||
2. Select the type of entity you'd like to edit the list from.
|
||||
|
||||
3. Update the details of the rule and click **Update rule**.
|
||||
|
||||
## Delete a list
|
||||
1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**.
|
||||
1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.
|
||||
|
||||
2. Select the type of entity you'd like to delete the list from.
|
||||
|
||||
|
||||
@ -35,7 +35,7 @@ For example, if you add *exe* and *bat* as file or attachment extension names, t
|
||||
|
||||
## Add file extension names and attachment extension names.
|
||||
|
||||
1. In the navigation pane, select **Settings** > **Rules** > **Automation file uploads**.
|
||||
1. In the navigation pane, select **Settings** > **Automation file uploads**.
|
||||
|
||||
2. Toggle the content analysis setting between **On** and **Off**.
|
||||
|
||||
|
||||
@ -47,7 +47,7 @@ You can specify the file names that you want to be excluded in a specific direct
|
||||
|
||||
|
||||
## Add an automation folder exclusion
|
||||
1. In the navigation pane, select **Settings** > **Rules** > **Automation folder exclusions**.
|
||||
1. In the navigation pane, select **Settings** > **Automation folder exclusions**.
|
||||
|
||||
2. Click **New folder exclusion**.
|
||||
|
||||
@ -62,14 +62,14 @@ You can specify the file names that you want to be excluded in a specific direct
|
||||
4. Click **Save**.
|
||||
|
||||
## Edit an automation folder exclusion
|
||||
1. In the navigation pane, select **Settings** > **Rules** > **Automation folder exclusions**.
|
||||
1. In the navigation pane, select **Settings** > **Automation folder exclusions**.
|
||||
|
||||
2. Click **Edit** on the folder exclusion.
|
||||
|
||||
3. Update the details of the rule and click **Save**.
|
||||
|
||||
## Remove an automation folder exclusion
|
||||
1. In the navigation pane, select **Settings** > **Rules** > **Automation folder exclusions**.
|
||||
1. In the navigation pane, select **Settings** > **Automation folder exclusions**.
|
||||
2. Click **Remove exclusion**.
|
||||
|
||||
|
||||
|
||||
@ -32,7 +32,7 @@ There might be scenarios where you need to suppress alerts from appearing in the
|
||||
You can view a list of all the suppression rules and manage them in one place. You can also turn an alert suppression rule on or off.
|
||||
|
||||
## Turn a suppression rule on or off
|
||||
1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
|
||||
1. In the navigation pane, select **Settings** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
|
||||
|
||||
2. Select a rule by clicking on the check-box beside the rule name.
|
||||
|
||||
@ -40,7 +40,7 @@ You can view a list of all the suppression rules and manage them in one place. Y
|
||||
|
||||
## View details of a suppression rule
|
||||
|
||||
1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
|
||||
1. In the navigation pane, select **Settings** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
|
||||
|
||||
2. Click on a rule name. Details of the rule is displayed. You'll see the rule details such as status, scope, action, number of matching alerts, created by, and date when the rule was created. You can also view associated alerts and the rule conditions.
|
||||
|
||||
|
||||
@ -40,7 +40,7 @@ You can access these options from the Windows Defender ATP portal. Both the Powe
|
||||
## Create a Windows Defender ATP dashboard on Power BI service
|
||||
Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
|
||||
|
||||
1. In the navigation pane, select **Settings** > **General** > **Power BI reports**.
|
||||
1. In the navigation pane, select **Settings** > **Power BI reports**.
|
||||
|
||||
2. Click **Create dashboard**.
|
||||
|
||||
@ -127,7 +127,7 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t
|
||||
### Before you begin
|
||||
1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/).
|
||||
|
||||
2. In the navigation pane, select **Settings** > **General** > **Power BI reports**.
|
||||
2. In the navigation pane, select **Settings** > **Power BI reports**.
|
||||
|
||||
3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it.
|
||||
|
||||
|
||||
@ -28,7 +28,7 @@ ms.date: 04/24/2018
|
||||
|
||||
Turn on the preview experience setting to be among the first to try upcoming features.
|
||||
|
||||
1. In the navigation pane, select **Settings** > **Preview experience**.
|
||||
1. In the navigation pane, select **Settings** > **Advanced features**.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -36,7 +36,7 @@ You'll have access to upcoming features which you can provide feedback on to hel
|
||||
|
||||
Turn on the preview experience setting to be among the first to try upcoming features.
|
||||
|
||||
1. In the navigation pane, select **Settings** > **General** > **Advanced features** > **Preview features**.
|
||||
1. In the navigation pane, select **Settings** > **Advanced features** > **Preview features**.
|
||||
|
||||
2. Toggle the setting between **On** and **Off** and select **Save preferences**.
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: high
|
||||
ms.date: 04/24/2018
|
||||
ms.date: 05/08/2018
|
||||
---
|
||||
|
||||
# Manage portal access using role-based access control
|
||||
@ -76,17 +76,18 @@ Someone with a Windows Defender ATP Global administrator role has unrestricted a
|
||||
|
||||
2. Click **Add role**.
|
||||
|
||||
3. Enter the role name, description, and active permissions you’d like to assign to the role.
|
||||
3. Enter the role name, description, and permissions you’d like to assign to the role.
|
||||
|
||||
- **Role name**
|
||||
|
||||
- **Description**
|
||||
|
||||
- **Active permissions**
|
||||
- **Permissions**
|
||||
- **View data** - Users can view information in the portal.
|
||||
- **Investigate alerts** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
|
||||
- **Approve or take action** - Users can take response actions and approve or dismiss pending remediation actions.
|
||||
- **Manage system settings** - Users can configure settings, SIEM and threat intel API settings, advanced settings, preview features, and automated file uploads.
|
||||
- **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
|
||||
|
||||
4. Click **Next** to assign the role to an Azure AD group.
|
||||
|
||||
@ -102,13 +103,13 @@ Someone with a Windows Defender ATP Global administrator role has unrestricted a
|
||||
|
||||
2. Click **Edit**.
|
||||
|
||||
3. Modify the details or the groups that the role is a part of.
|
||||
3. Modify the details or the groups that are assigned to the role.
|
||||
|
||||
4. Click **Save and close**.
|
||||
|
||||
## Delete roles
|
||||
|
||||
1. Select the role row you'd like to delete.
|
||||
1. Select the role you'd like to delete.
|
||||
|
||||
2. Click the drop-down button and select **Delete role**.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user