mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-25 23:33:35 +00:00
Merge branch 'master' into mdatp-gov
This commit is contained in:
Joey Caparas
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
|
||||
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
|
||||
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
|
||||
@ -6,7 +6,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
|
||||
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 07/16/2018
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 10/02/2018
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 10/02/2018
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 10/02/2018
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 10/02/2018
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 07/16/2018
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 05/29/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 02/28/2019
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
|
||||
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
|
||||
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
|
||||
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
|
||||
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
|
||||
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
|
||||
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
|
||||
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
|
||||
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
|
||||
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
|
||||
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
|
||||
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
|
||||
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
|
||||
@ -6,7 +6,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
|
||||
@ -6,7 +6,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
|
||||
@ -6,7 +6,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: dulcemontemayor
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
title: Fileless threats
|
||||
ms.reviewer:
|
||||
description: Learn about fileless threats, its categories, and how it runs
|
||||
keywords: fileless, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP
|
||||
description: Learn about the categories of fileless threats and malware that "live off the land"
|
||||
keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next generation protection
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
@ -18,9 +18,9 @@ search.appverid: met150
|
||||
|
||||
# Fileless threats
|
||||
|
||||
What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The term is used broadly; it's also used to describe malware families that do rely on files to operate.
|
||||
What exactly are fileless threats? The term "fileless" suggests that a threat does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition for fileless malware. The term is used broadly; it's also used to describe malware families that do rely on files to operate.
|
||||
|
||||
Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, or information theft, some parts of the attack chain may be fileless, while others may involve the filesystem in some form or another.
|
||||
Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, or information theft, some parts of the attack chain may be fileless, while others may involve the filesystem in some form.
|
||||
|
||||
For clarity, fileless threats are grouped into different categories.
|
||||
|
||||
|
||||
@ -134,7 +134,7 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https:
|
||||
|
||||
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs.
|
||||
|
||||
1. Download the [connectivity verification tool](https://go.microsoft.com/fwlink/p/?linkid=823683) to the PC where Microsoft Defender ATP sensor is running on.
|
||||
1. Download the [connectivity verification tool](https://aka.ms/mdatpanalyzer) to the PC where Microsoft Defender ATP sensor is running on.
|
||||
|
||||
2. Extract the contents of WDATPConnectivityAnalyzer on the machine.
|
||||
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/16/2017
|
||||
---
|
||||
|
||||
# Configure Splunk to pull Microsoft Defender ATP alerts
|
||||
@ -33,7 +32,7 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP alert
|
||||
|
||||
## Before you begin
|
||||
|
||||
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk.
|
||||
- Install the open source [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/) in Splunk.
|
||||
- Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
|
||||
|
||||
- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values:
|
||||
@ -52,7 +51,7 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP alert
|
||||
3. Click **REST** under **Local inputs**.
|
||||
|
||||
NOTE:
|
||||
This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
|
||||
This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/).
|
||||
|
||||
4. Click **New**.
|
||||
|
||||
|
||||
@ -57,7 +57,7 @@ The following steps are required to enable this integration:
|
||||
|
||||
### Before you begin
|
||||
Review the following details to verify minimum system requirements:
|
||||
- Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
|
||||
- Install the [February 2018 monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
|
||||
|
||||
>[!NOTE]
|
||||
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
|
||||
|
||||
@ -305,7 +305,7 @@ At the level of each organizational unit in the Active Directory hierarchy, one,
|
||||
|
||||
This order means that the local Group Policy Object is processed first, and Group Policy Objects that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites the earlier Group Policy Objects.
|
||||
|
||||
This is the default processing order and administrators can specify exceptions to this order. A Group Policy Object that is linked to a site, domain, or organizational unit (not a local Group Policy Object) can be set to **Enforced** with respect to that site, domain, or organizational unit, so that none of its policy settings can be overridden. At any site, domain, or organizational unit, you can mark Group Policy inheritance selectively as **Block Inheritance**. Group Policy Object links that are set to **Enforced** are always applied, however, and they cannot be blocked.
|
||||
This is the default processing order and administrators can specify exceptions to this order. A Group Policy Object that is linked to a site, domain, or organizational unit (not a local Group Policy Object) can be set to **Enforced** with respect to that site, domain, or organizational unit, so that none of its policy settings can be overridden. At any site, domain, or organizational unit, you can mark Group Policy inheritance selectively as **Block Inheritance**. Group Policy Object links that are set to **Enforced** are always applied, however, and they cannot be blocked. For more information see [Group Policy Basics – Part 2: Understanding Which GPOs to Apply](https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/15/group-policy-basics-part-2-understanding-which-gpos-to-apply/).
|
||||
|
||||
### <a href="" id="bkmk-secpolprocessing"></a>Security settings policy processing
|
||||
|
||||
|
||||
@ -48,7 +48,7 @@ Download the installation and onboarding packages from Windows Defender Security
|
||||
Extract the contents of the .zip files:
|
||||
|
||||
```bash
|
||||
mavel-macmini:Downloads test$ ls -l
|
||||
ls -l
|
||||
total 721152
|
||||
-rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip
|
||||
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
|
||||
@ -92,7 +92,7 @@ If you did not enable Microsoft's driver during installation, then the applicati
|
||||
You can also run ```mdatp --health```. It reports if Real-Time Protection is enabled but not available:
|
||||
|
||||
```bash
|
||||
mavel-mojave:~ testuser$ mdatp --health
|
||||
mdatp --health
|
||||
...
|
||||
realTimeProtectionAvailable : false
|
||||
realTimeProtectionEnabled : true
|
||||
@ -112,7 +112,7 @@ In this case, you need to perform the following steps to enable Real-Time Protec
|
||||
|
||||
1. In Terminal, attempt to install the driver. (The operation will fail)
|
||||
```bash
|
||||
mavel-mojave:~ testuser$ sudo kextutil /Library/Extensions/wdavkext.kext
|
||||
sudo kextutil /Library/Extensions/wdavkext.kext
|
||||
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
|
||||
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
|
||||
Diagnostics for /Library/Extensions/wdavkext.kext:
|
||||
@ -125,13 +125,13 @@ In this case, you need to perform the following steps to enable Real-Time Protec
|
||||
4. In Terminal, install the driver again. This time the operation will succeed:
|
||||
|
||||
```bash
|
||||
mavel-mojave:~ testuser$ sudo kextutil /Library/Extensions/wdavkext.kext
|
||||
sudo kextutil /Library/Extensions/wdavkext.kext
|
||||
```
|
||||
|
||||
The banner should disappear from the Defender application, and ```mdatp --health``` should now report that Real-Time Protection is both enabled and available:
|
||||
|
||||
```bash
|
||||
mavel-mojave:~ testuser$ mdatp --health
|
||||
mdatp --health
|
||||
...
|
||||
realTimeProtectionAvailable : true
|
||||
realTimeProtectionEnabled : true
|
||||
@ -145,20 +145,20 @@ realTimeProtectionEnabled : true
|
||||
The client machine is not associated with orgId. Note that the *orgId* attribute is blank.
|
||||
|
||||
```bash
|
||||
mavel-mojave:wdavconfig testuser$ mdatp --health orgId
|
||||
mdatp --health orgId
|
||||
```
|
||||
|
||||
2. Install the configuration file on a client machine:
|
||||
|
||||
```bash
|
||||
mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py
|
||||
python WindowsDefenderATPOnboarding.py
|
||||
Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
|
||||
```
|
||||
|
||||
3. Verify that the machine is now associated with your organization and reports a valid *orgId*:
|
||||
|
||||
```bash
|
||||
mavel-mojave:wdavconfig testuser$ mdatp --health orgId
|
||||
mdatp --health orgId
|
||||
E6875323-A6C0-4C60-87AD-114BBE7439B8
|
||||
```
|
||||
|
||||
|
||||
@ -31,7 +31,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
|
||||
1. Increase logging level:
|
||||
|
||||
```bash
|
||||
mavel-mojave:~ testuser$ mdatp --log-level verbose
|
||||
mdatp --log-level verbose
|
||||
Creating connection to daemon
|
||||
Connection established
|
||||
Operation succeeded
|
||||
@ -39,19 +39,18 @@ If you can reproduce a problem, please increase the logging level, run the syste
|
||||
|
||||
2. Reproduce the problem
|
||||
|
||||
3. Run `mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The command will print out location with generated zip file.
|
||||
3. Run `mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
|
||||
|
||||
```bash
|
||||
mavel-mojave:~ testuser$ mdatp --diagnostic --create
|
||||
mdatp --diagnostic --create
|
||||
Creating connection to daemon
|
||||
Connection established
|
||||
"/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip"
|
||||
```
|
||||
|
||||
4. Restore logging level:
|
||||
|
||||
```bash
|
||||
mavel-mojave:~ testuser$ mdatp --log-level info
|
||||
mdatp --log-level info
|
||||
Creating connection to daemon
|
||||
Connection established
|
||||
Operation succeeded
|
||||
|
||||
@ -64,7 +64,7 @@ Microsoft Defender ATP can discover a proxy server by using the following discov
|
||||
|
||||
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.
|
||||
|
||||
To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping]([https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
|
||||
To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
|
||||
|
||||
If you prefer the command line, you can also check the connection by running the following command in Terminal:
|
||||
|
||||
|
||||
@ -16,7 +16,7 @@ ms.reviewer:
|
||||
manager: dansimp
|
||||
---
|
||||
|
||||
# Windows Defender Antivirus in Windows 10 and Windows Server 2016
|
||||
# Windows Defender Antivirus
|
||||
|
||||
**Applies to:**
|
||||
|
||||
@ -42,23 +42,7 @@ You can configure and manage Windows Defender Antivirus with:
|
||||
>- Fast learning (including Block at first sight)
|
||||
>- Potentially unwanted application blocking
|
||||
|
||||
## What's new in Windows 10, version 1803
|
||||
|
||||
- The [block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
|
||||
- The [Virus & threat protection area in the Windows Security app](windows-defender-security-center-antivirus.md) now includes a section for ransomware protection. It includes controlled folder access settings and ransomware recovery settings.
|
||||
|
||||
|
||||
## What's new in Windows 10, version 1703
|
||||
|
||||
New features for Windows Defender Antivirus in Windows 10, version 1703 include:
|
||||
- [Updates to how the block at first sight feature can be configured](configure-block-at-first-sight-windows-defender-antivirus.md)
|
||||
- [The ability to specify the level of cloud-protection](specify-cloud-protection-level-windows-defender-antivirus.md)
|
||||
- [Windows Defender Antivirus protection in the Windows Security app](windows-defender-security-center-antivirus.md)
|
||||
|
||||
We've expanded this documentation library to cover end-to-end deployment, management, and configuration for Windows Defender Antivirus, and we've added some new guides that can help with evaluating and deploying Windows Defender AV in certain scenarios:
|
||||
- [Evaluation guide for Windows Defender Antivirus](evaluate-windows-defender-antivirus.md)
|
||||
- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure environment](deployment-vdi-windows-defender-antivirus.md)
|
||||
|
||||
Check out [What's new in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp), including new features and capabilities in Windows Defender Antivirus.
|
||||
|
||||
<a id="sysreq"></a>
|
||||
## Minimum system requirements
|
||||
|
||||
@ -14,6 +14,9 @@ author: dansimp
|
||||
ms.date: 05/17/2018
|
||||
---
|
||||
|
||||
> [!NOTE]
|
||||
> For WDAC enhancements see [Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update](https://www.microsoft.com/security/blog/2019/07/01/).
|
||||
|
||||
# Deploy Windows Defender Application Control policies by using Microsoft Intune
|
||||
|
||||
**Applies to:**
|
||||
|
||||
@ -27,7 +27,7 @@ manager: dansimp
|
||||
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
|
||||
|
||||
|
||||
Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1704 and 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019.
|
||||
Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019.
|
||||
|
||||
|
||||
To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
|
||||
@ -45,6 +45,19 @@ Triggered rules display a notification on the device. You can [customize the not
|
||||
|
||||
For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
|
||||
|
||||
## Review attack surface reduction events in the Microsoft Security Center
|
||||
|
||||
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
|
||||
|
||||
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment.
|
||||
|
||||
Here is an example query:
|
||||
|
||||
```
|
||||
MiscEvents
|
||||
| where ActionType startswith 'Asr'
|
||||
```
|
||||
|
||||
## Review attack surface reduction events in Windows Event Viewer
|
||||
|
||||
You can review the Windows event log to view events that are created when attack surface reduction rules fire:
|
||||
@ -147,7 +160,7 @@ GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
|
||||
|
||||
Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
|
||||
|
||||
Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. You can exclude scripts so they're allowed to run.
|
||||
Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>File and folder exclusions don't apply to this attack surface reduction rule.
|
||||
|
||||
@ -227,7 +227,7 @@ Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThun
|
||||
Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available
|
||||
Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
|
||||
Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
|
||||
Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available
|
||||
Validate heap integrity | System and app-level | TerminateOnError | Audit not available
|
||||
Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
|
||||
Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
|
||||
Block remote images | App-level only | BlockRemoteImages | Audit not available
|
||||
|
||||
@ -45,6 +45,19 @@ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](http
|
||||
>[!WARNING]
|
||||
>Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
|
||||
|
||||
## Review exploit protection events in the Microsoft Security Center
|
||||
|
||||
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
|
||||
|
||||
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how exploit protection settings could affect your environment.
|
||||
|
||||
Here is an example query:
|
||||
|
||||
```
|
||||
MiscEvents
|
||||
| where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
|
||||
```
|
||||
|
||||
## Review exploit protection events in Windows Event Viewer
|
||||
|
||||
You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:
|
||||
|
||||
@ -51,6 +51,13 @@ Microsoft Defender ATP provides detailed reporting into events and blocks as par
|
||||
|
||||
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
|
||||
|
||||
Here is an example query
|
||||
|
||||
```
|
||||
MiscEvents
|
||||
| where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
|
||||
```
|
||||
|
||||
## Review network protection events in Windows Event Viewer
|
||||
|
||||
You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain:
|
||||
|
||||
Reference in New Issue
Block a user