deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into nimishasatapathy-4749599-ASCIIimageconversion

Browse Source
This commit is contained in:
Asha Iyengar 2021-01-08 22:49:50 +05:30 committed by GitHub
commit 16131e3711
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
48 changed files with 928 additions and 425 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/client-management/mdm/bitlocker-csp.md
View File

@ -318,6 +318,10 @@ If you disable or do not configure this setting, users can configure only basic
> [!NOTE]
> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
> [!NOTE]
> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern
> Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN.
Sample value for this node to enable this policy is:
```xml

2
windows/security/threat-protection/auditing/event-4624.md
View File

@ -156,7 +156,7 @@ This event generates when a logon session is created (on destination machine). I
| `9` | `NewCredentials` | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| `10` | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| `11` | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
| `12` | `CashedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. |
| `12` | `CachedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. |
| `13` | `CachedUnlock` | Workstation logon. |
- **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.

17
windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
View File

@ -1,13 +1,12 @@
---
title: WDAC and virtualization-based code integrity (Windows 10)
description: Hardware and software system integrity-hardening capabilites that can be deployed separately or in combination with Windows Defender Application Control (WDAC).
title: Windows Defender Application Control and virtualization-based code integrity (Windows 10)
description: Hardware and software system integrity-hardening capabilities that can be deployed separately or in combination with Windows Defender Application Control (WDAC).
keywords: virtualization, security, malware, device guard
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 07/01/2019
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -19,24 +18,24 @@ ms.custom: asr
- Windows 10
- Windows Server 2016
Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI).
Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks by using virtualization-based protection of code integrity (more specifically, HVCI).
Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices.
Configurable code integrity policies and HVCI are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows 10 devices.
Using configurable code integrity to restrict devices to only authorized apps has these advantages over other solutions:
1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. Configurable code integrity allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organizations digital signing process, making it extremely difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy.
4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? Thats because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organizations digital signing process, making it difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy.
4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is diminished. Why is this relevant? Thats because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
## Windows Defender Application Control
When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems cant meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldnt use configurable code integrity either.
When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with more hardware, firmware, and kernel driver compatibility requirements that some older systems cant meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldnt use configurable code integrity either.
Configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.
Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control).
Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as an independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control).
We hope this change will help us better communicate options for adopting application control within an organization.
## Related articles

82
windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
View File

@ -21,12 +21,12 @@ manager: dansimp
You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable.
This topic describes some common mistake that you should avoid when defining exclusions.
This article describes some common mistake that you should avoid when defining exclusions.
Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions).
## Excluding certain trusted items
There are certain files, file types, folders, or processes that you should not exclude from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning.
Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning.
**Do not add exclusions for the following folder locations:**
@ -61,44 +61,44 @@ There are certain files, file types, folders, or processes that you should not e
- C:\Windows\Temp\*
**Do not add exclusions for the following file extensions:**
- .7zip
- .bat
- .bin
- .cab
- .cmd
- .com
- .cpl
- .dll
- .exe
- .fla
- .gif
- .gz
- .hta
- .inf
- .java
- .jar
- .job
- .jpeg
- .jpg
- .js
- .ko
- .ko.gz
- .msi
- .ocx
- .png
- .ps1
- .py
- .rar
- .reg
- .scr
- .sys
- .tar
- .tmp
- .url
- .vbe
- .vbs
- .wsf
- .zip
- `.7zip`
- `.bat`
- `.bin`
- `.cab`
- `.cmd`
- `.com`
- `.cpl`
- `.dll`
- `.exe`
- `.fla`
- `.gif`
- `.gz`
- `.hta`
- `.inf`
- `.java`
- `.jar`
- `.job`
- `.jpeg`
- `.jpg`
- `.js`
- `.ko`
- `.ko.gz`
- `.msi`
- `.ocx`
- `.png`
- `.ps1`
- `.py`
- `.rar`
- `.reg`
- `.scr`
- `.sys`
- `.tar`
- `.tmp`
- `.url`
- `.vbe`
- `.vbs`
- `.wsf`
- `.zip`
>[!NOTE]
> You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
@ -150,7 +150,7 @@ Do not use a single exclusion list to define exclusions for multiple server work
Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables.
See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists.
## Related topics
## Related articles
- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
- [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
View File

@ -22,7 +22,7 @@ ms.date: 10/22/2020
**Applies to:**
- Microsoft Defender Antivirus
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments.

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- Microsoft Defender Antivirus
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ manager: dansimp
**Applies to:**
- Microsoft Defender Antivirus
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.

22
windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.date: 01/06/2021
ms.reviewer:
manager: dansimp
---
@ -39,20 +39,20 @@ To configure these settings:
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
4. Select the policy **Setting** as specified in the table below, and set the option to your desired configuration. Select **OK**, and repeat for any other settings.
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled
Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days
Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically)
Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed
Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable
|Location | Setting | Description | Default setting (if not configured) |
|:---|:---|:---|:---|
|Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled|
|Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days |
|Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) |
|Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed |
|Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable |
|Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable |
> [!IMPORTANT]
> Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.

4
windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
View File

@ -19,6 +19,10 @@ ms.custom: nextgen
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).

8
windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.date: 01/06/2021
ms.reviewer:
manager: dansimp
---
@ -29,11 +29,11 @@ Depending on the management tool you are using, you may need to specifically ena
See the table in [Deploy, manage, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
Some scenarios require additional guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
Some scenarios require more guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
The remaining topic in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md).
The remaining article in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md).
## Related topics
## Related articles
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)

2
windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
View File

@ -21,7 +21,7 @@ ms.custom: nextgen
**Applies to:**
- Microsoft Defender Antivirus
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
> [!NOTE]
> The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.

2
windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
View File

@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
ms.reviewer: pahuijbr
manager: dansimp
---

6
windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
View File

@ -1,5 +1,5 @@
---
title: Manage how and where Microsoft Defender AV receives updates
title: Manage how and where Microsoft Defender Antivirus receives updates
description: Manage the fallback order for how Microsoft Defender Antivirus receives protection updates.
keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus
search.product: eADQiWindows 10XVcnh
@ -10,7 +10,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.reviewer:
ms.reviewer: pahuijbr
manager: dansimp
ms.custom: nextgen
---
@ -170,7 +170,7 @@ Set up a network file share (UNC/mapped drive) to download security intelligence
MD C:\Temp\TempSigs\x86
```
3. Download the Powershell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4).
3. Download the PowerShell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4).
4. Click **Manual Download**.

176
windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
View File

@ -11,9 +11,9 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
ms.reviewer: pahuijbr
manager: dansimp
ms.date: 12/05/2020
ms.date: 01/07/2021
---
# Manage Microsoft Defender Antivirus updates and apply baselines
@ -47,7 +47,7 @@ Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft
Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
For a list of recent security intelligence updates, please visit: [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes).
For a list of recent security intelligence updates, see [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/definitions/antimalware-definition-release-notes).
Engine updates are included with security intelligence updates and are released on a monthly cadence.
@ -64,17 +64,17 @@ You can manage the distribution of updates through one of the following methods:
For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
> [!NOTE]
> We release these monthly updates in phases. This results in multiple packages visible in your WSUS server.
> Monthly updates are released in phases, resulting in multiple packages visible in your [Window Server Update Services](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus).
## Monthly platform and engine versions
For information how to update or how to install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
For information how to update or install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
All our updates contain
- performance improvements;
- serviceability improvements; and
- integration improvements (Cloud, Microsoft 365 Defender).
<br/>
<br/><br/>
<details>
@ -87,6 +87,7 @@ All our updates contain
&ensp;Support phase: **Security and Critical Updates**
### What's new
- Improved SmartScreen status support logging
- Apply CPU throttling policy to manually initiated scans
@ -103,12 +104,14 @@ No known issues
&ensp;Support phase: **Security and Critical Updates**
### What's new
- New descriptions for special threat categories
- Improved emulation capabilities
- Improved host address allow/block capabilities
- New option in Defender CSP to Ignore merging of local user exclusions
### Known Issues
No known issues
<br/>
</details><details>
@ -121,6 +124,7 @@ No known issues
&ensp;Support phase: **Security and Critical Updates**
### What's new
- Admin permissions are required to restore files in quarantine
- XML formatted events are now supported
- CSP support for ignoring exclusion merges
@ -132,9 +136,16 @@ No known issues
- Improved Office VBA module scanning
### Known Issues
No known issues
<br/>
</details>
### Previous version updates: Technical upgrade support only
After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only.
<br/><br/>
<details>
<summary> August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)</summary>
@ -142,7 +153,6 @@ No known issues
&ensp;Released: **August 27, 2020**
&ensp;Platform: **4.18.2008.9**
&ensp;Engine: **1.1.17400.5**
&ensp;Support phase: **Security and Critical Updates**
### What's new
@ -166,11 +176,12 @@ No known issues
&ensp;Released: **July 28, 2020**
&ensp;Platform: **4.18.2007.8**
&ensp;Engine: **1.1.17300.4**
&ensp;Support phase: **Security and Critical Updates**
&ensp;Support phase: **Technical upgrade support (only)**
### What's new
* Improved telemetry for BITS
* Improved Authenticode code signing certificate validation
- Improved telemetry for BITS
- Improved Authenticode code signing certificate validation
### Known Issues
No known issues
@ -184,15 +195,16 @@ No known issues
&ensp;Released: **June 22, 2020**
&ensp;Platform: **4.18.2006.10**
&ensp;Engine: **1.1.17200.2**
&ensp;Support phase: **Technical upgrade Support (Only)**
&ensp;Support phase: **Technical upgrade support (only)**
### What's new
* Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
* Skipping aggressive catchup scan in Passive mode.
* Allow Defender to update on metered connections
* Fixed performance tuning when caching is disabled
* Fixed registry query
* Fixed scantime randomization in ADMX
- Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
- Skipping aggressive catchup scan in Passive mode.
- Allow Defender to update on metered connections
- Fixed performance tuning when caching is disabled
- Fixed registry query
- Fixed scantime randomization in ADMX
### Known Issues
No known issues
@ -206,15 +218,16 @@ No known issues
&ensp;Released: **May 26, 2020**
&ensp;Platform: **4.18.2005.4**
&ensp;Engine: **1.1.17100.2**
&ensp;Support phase: **Technical upgrade Support (Only)**
&ensp;Support phase: **Technical upgrade support (only)**
### What's new
* Improved logging for scan events
* Improved user mode crash handling.
* Added event tracing for Tamper protection
* Fixed AMSI Sample submission
* Fixed AMSI Cloud blocking
* Fixed Security update install log
- Improved logging for scan events
- Improved user mode crash handling.
- Added event tracing for Tamper protection
- Fixed AMSI Sample submission
- Fixed AMSI Cloud blocking
- Fixed Security update install log
### Known Issues
No known issues
@ -228,16 +241,16 @@ No known issues
&ensp;Released: **April 30, 2020**
&ensp;Platform: **4.18.2004.6**
&ensp;Engine: **1.1.17000.2**
&ensp;Support phase: **Technical upgrade Support (Only)**
&ensp;Support phase: **Technical upgrade support (only)**
### What's new
* WDfilter improvements
* Add more actionable event data to attack surface reduction detection events
* Fixed version information in diagnostic data and WMI
* Fixed incorrect platform version in UI after platform update
* Dynamic URL intel for Fileless threat protection
* UEFI scan capability
* Extend logging for updates
- WDfilter improvements
- Add more actionable event data to attack surface reduction detection events
- Fixed version information in diagnostic data and WMI
- Fixed incorrect platform version in UI after platform update
- Dynamic URL intel for Fileless threat protection
- UEFI scan capability
- Extend logging for updates
### Known Issues
No known issues
@ -251,15 +264,15 @@ No known issues
&ensp;Released: **March 24, 2020**
&ensp;Platform: **4.18.2003.8**
&ensp;Engine: **1.1.16900.4**
&ensp;Support phase: **Technical upgrade Support (Only)**
&ensp;Support phase: **Technical upgrade support (only)**
### What's new
* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus)
* Improve diagnostic capability
* reduce Security intelligence timeout (5 min)
* Extend AMSI engine internal log capability
* Improve notification for process blocking
- CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus)
- Improve diagnostic capability
- reduce Security intelligence timeout (5 min)
- Extend AMSI engine internal log capability
- Improve notification for process blocking
### Known Issues
[**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan.
@ -272,11 +285,11 @@ No known issues
<summary> February-2020 (Platform: - | Engine: 1.1.16800.2)</summary>
Security intelligence update version: **1.311.4.0**
Released: **February 25, 2020**
Platform/Client: **-**
Engine: **1.1.16800.2**
Support phase: **N/A**
&ensp;Security intelligence update version: **1.311.4.0**
&ensp;Released: **February 25, 2020**
&ensp;Platform/Client: **-**
&ensp;Engine: **1.1.16800.2**
&ensp;Support phase: **Technical upgrade support (only)**
### What's new
@ -294,24 +307,26 @@ Security intelligence update version: **1.309.32.0**
Released: **January 30, 2020**
Platform/Client: **4.18.2001.10**
Engine: **1.1.16700.2**
Support phase: **Technical upgrade Support (Only)**
&ensp;Support phase: **Technical upgrade support (only)**
### What's new
* Fixed BSOD on WS2016 with Exchange
* Support platform updates when TMP is redirected to network path
* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates)
* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility)
* Fix 4.18.1911.3 hang
- Fixed BSOD on WS2016 with Exchange
- Support platform updates when TMP is redirected to network path
- Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates)
- extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility)
- Fix 4.18.1911.3 hang
### Known Issues
[**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
<br/>
> [!IMPORTANT]
> This updates is needed by RS1 devices running lower version of the platform to support SHA2. <br/>This update has reboot flag for systems that are experiencing the hang issue.<br/> the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability.
<br/>
> [!IMPORTANT]
> This update is categorized as an "update" due to its reboot requirement and will only be offered with a [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update)
> This update is:
> - needed by RS1 devices running lower version of the platform to support SHA2;
> - has a reboot flag for systems that have hanging issues;
> - is re-released in April 2020 and will not be superseded by newer updates to keep future availability;
> - is categorized as an update due to the reboot requirement; and
> - is only be offered with [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update).
<br/>
</details>
@ -326,24 +341,23 @@ Support phase: **No support**
### What's new
* Fixed MpCmdRun tracing level
* Fixed WDFilter version info
* Improve notifications (PUA)
* add MRT logs to support files
- Fixed MpCmdRun tracing level
- Fixed WDFilter version info
- Improve notifications (PUA)
- add MRT logs to support files
### Known Issues
When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.
<br/>
</details>
## Microsoft Defender Antivirus platform support
Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version:
* **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
- **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
* **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.*
- **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.*
\* Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version.
@ -354,22 +368,38 @@ The below table provides the Microsoft Defender Antivirus platform and engine ve
|Windows 10 release |Platform version |Engine version |Support phase |
|:---|:---|:---|:---|
|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade Support (Only) |
|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) |
|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) |
|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) |
|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade Support (Only) |
|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade Support (Only) |
|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) |
|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) |
|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade support (only) |
|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade support (only) |
|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade support (only) |
|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade support (only) |
|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade support (only) |
|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade support (only) |
|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade support (only) |
|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade support (only) |
Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet).
For Windows 10 release information, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet).
## Updates for Deployment Image Servicing and Management (DISM)
We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection. For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection.
For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
<details>
<summary>1.1.2101.02</summary>
&ensp;Package version: **1.1.2101.02**
&ensp;Platform version: **4.18.2011.6**
&ensp;Engine version: **1.17700.4**
&ensp;Signature version: **1.329.1796.0**
### Fixes
- None
### Additional information
- None
<br/>
</details><details>
<summary>1.1.2012.01</summary>
&ensp;Package version: **1.1.2012.01**
@ -427,12 +457,12 @@ We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind
<br/>
</details>
## See also
## Additional resources
| Article | Description |
|:---|:---|
|[Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images) | Review antimalware update packages for your OS installation images (WIM and VHD files). Get Microsoft Defender Antivirus updates for Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 installation images. |
|[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources. |
|[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through many sources. |
|[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. |
|[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan the next time a user signs in. |
|[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. |

64
windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Define how mobile devices are updated by Microsoft Defender AV
description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender AV protection updates.
title: Define how mobile devices are updated by Microsoft Defender Antivirus
description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender Antivirus protection updates.
keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -11,7 +11,6 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
@ -25,53 +24,56 @@ manager: dansimp
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates.
Mobile devices and VMs may require more configuration to ensure performance is not impacted by updates.
There are two settings that are particularly useful for these devices:
There are two settings that are useful for these devices:
- Opt-in to Microsoft Update on mobile computers without a WSUS connection
- Opt in to Microsoft Update on mobile computers without a WSUS connection
- Prevent Security intelligence updates when running on battery power
The following topics may also be useful in these situations:
The following articles may also be useful in these situations:
- [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
- [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md)
## Opt-in to Microsoft Update on mobile computers without a WSUS connection
## Opt in to Microsoft Update on mobile computers without a WSUS connection
You can use Microsoft Update to keep Security intelligence on mobile devices running Microsoft Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection.
This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update.
You can opt-in to Microsoft Update on the mobile device in one of the following ways:
You can opt in to Microsoft Update on the mobile device in one of the following ways:
1. Change the setting with Group Policy
2. Use a VBScript to create a script, then run it on each computer in your network.
3. Manually opt-in every computer on your network through the **Settings** menu.
- Change the setting with Group Policy.
- Use a VBScript to create a script, then run it on each computer in your network.
- Manually opt in every computer on your network through the **Settings** menu.
### Use Group Policy to opt-in to Microsoft Update
### Use Group Policy to opt in to Microsoft Update
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
3. Select **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**.
4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**.
6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
5. Set **Allow security intelligence updates from Microsoft Update** to **Enabled**, and then select **OK**.
### Use a VBScript to opt-in to Microsoft Update
### Use a VBScript to opt in to Microsoft Update
1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
2. Run the VBScript you created on each computer in your network.
1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
### Manually opt-in to Microsoft Update
2. Run the VBScript you created on each computer in your network.
1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in.
2. Click **Advanced** options.
3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**.
### Manually opt in to Microsoft Update
1. Open **Windows Update** in **Update & security** settings on the computer you want to opt in.
2. Select **Advanced** options.
3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**.
## Prevent Security intelligence updates when running on battery power
@ -79,17 +81,15 @@ You can configure Microsoft Defender Antivirus to only download protection updat
### Use Group Policy to prevent security intelligence updates on battery power
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), choose the Group Policy Object you want to configure, and open it for editing.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
3. Select **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following setting:
1. Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**.
2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power.
4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**, and then set **Allow security intelligence updates when running on battery power** to **Disabled**. Then select **OK**.
This action prevents protection updates from downloading when the PC is on battery power.
## Related articles

4
windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
View File

@ -24,9 +24,9 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Microsoft Defender Antivirus
- Office 365
- Microsoft 365
You might already know that:

26
windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
View File

@ -14,7 +14,7 @@ audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 11/19/2020
ms.date: 01/07/2021
---
# Protect security settings with tamper protection
@ -24,8 +24,12 @@ ms.date: 11/19/2020
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Tamper protection is available on devices running the following versions of Windows:
- Windows 10
- Windows Server 2019 (if using tenant attach with [Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006))
- Windows Server 2016 and 2019 (if using tenant attach with [Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006))
## Overview
@ -74,7 +78,7 @@ Tamper protection doesn't prevent you from viewing your security settings. And,
If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do change security settings, such as tamper protection.
1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**.
1. Click **Start**, and start typing *Security*. In the search results, select **Windows Security**.
2. Select **Virus & threat protection** > **Virus & threat protection settings**.
@ -90,7 +94,7 @@ If you are part of your organization's security team, and your subscription incl
You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune:
1. Make sure your organization meets all of the following requirements to use Intune to manage tamper protection:
- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.)
- Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).)
@ -101,15 +105,15 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
3. Select **Devices** > **Configuration Profiles**.
4. Create a profile as follows:
4. Create a profile that includes the following settings:
- Platform: **Windows 10 and later**
- **Platform: Windows 10 and later**
- Profile type: **Endpoint protection**
- **Profile type: Endpoint protection**
- Category: **Microsoft Defender Security Center**
- **Category: Microsoft Defender Security Center**
- Tamper Protection: **Enabled**
- **Tamper Protection: Enabled**
![Turn tamper protection on with Intune](images/turnontamperprotect-MEM.png)
@ -132,7 +136,7 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release
> [!IMPORTANT]
> The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure.
If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices.
If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10, Windows Server 2016, and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices.
1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions).
@ -209,7 +213,7 @@ Your regular group policy doesnt apply to tamper protection, and changes to M
### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only?
Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization as well as to specific devices and user groups.
Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization and to specific devices and user groups.
### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager?

2
windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
View File

@ -23,7 +23,7 @@ ms.custom: nextgen
**Applies to:**
- Microsoft Defender Antivirus
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can specify your level of cloud-delivered protection offered by Microsoft Defender Antivirus by using Microsoft Endpoint Manager (recommended) or Group Policy.

2
windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
View File

@ -21,7 +21,7 @@ ms.custom: nextgen
**Applies to:**
- Microsoft Defender Antivirus
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.

10
windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
View File

@ -1,6 +1,6 @@
---
title: Customize controlled folder access
description: Add additional folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files.
description: Add other folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files.
keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -12,7 +12,7 @@ author: denisebmsft
ms.author: deniseb
ms.reviewer: jcedola, dbodorin, vladiso, nixanm, anvascon
manager: dansimp
ms.date: 12/16/2020
ms.date: 01/06/2021
---
# Customize controlled folder access
@ -38,7 +38,7 @@ This article describes how to customize controlled folder access capabilities, a
## Protect additional folders
Controlled folder access applies to a number of system folders and default locations, including folders such as **Documents**, **Pictures**, and **Movies**. You can add additional folders to be protected, but you cannot remove the default folders in the default list.
Controlled folder access applies to many system folders and default locations, including folders such as **Documents**, **Pictures**, and **Movies**. You can add additional folders to be protected, but you cannot remove the default folders in the default list.
Adding other folders to controlled folder access can be helpful for cases when you don't store files in the default Windows libraries, or you've changed the default location of your libraries.
@ -72,7 +72,7 @@ You can use the Windows Security app, Group Policy, PowerShell cmdlets, or mobil
### Use PowerShell to protect additional folders
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
@ -125,7 +125,7 @@ An allowed application or service only has write access to a controlled folder a
### Use PowerShell to allow specific apps
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell

51
windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
View File

@ -15,7 +15,7 @@ ms.localizationpriority: medium
ms.custom:
- next-gen
- edr
ms.date: 12/14/2020
ms.date: 01/07/2021
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
@ -32,7 +32,7 @@ ms.collection:
## What is EDR in block mode?
When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is turned on, Defender for Endpoint blocks malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected, post breach.
[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode provides protection from malicious artifacts, even when Microsoft Defender Antivirus is running in passive mode. When turned on, EDR in block mode blocks malicious artifacts or behaviors that are detected on a device. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post breach.
EDR in block mode is also integrated with [threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). Your organization's security team will get a [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) to turn EDR in block mode on if it isn't already enabled.
@ -43,7 +43,7 @@ EDR in block mode is also integrated with [threat & vulnerability management](ht
## What happens when something is detected?
When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Prevented** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center).
When EDR in block mode is turned on, and a malicious artifact is detected, Microsoft Defender for Endpoint blocks and remediates that artifact. You'll see detection status as **Blocked** or **Prevented** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center).
The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode:
@ -71,32 +71,61 @@ The following image shows an instance of unwanted software that was detected and
|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). |
|Operating system |One of the following versions: <br/>- Windows 10 (all releases) <br/>- Windows Server 2016 or later |
|Windows E5 enrollment |Windows E5 is included in the following subscriptions: <br/>- Microsoft 365 E5 <br/>- Microsoft 365 E3 together with the Identity & Threat Protection offering <br/><br/>See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). |
|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled. <br/><br/>See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). |
|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. <br/>In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. <br/> In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
|Microsoft Defender Antivirus |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode). |
|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). |
|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
> [!IMPORTANT]
> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your exclusions are defined.
> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your [exclusions are configured](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md). EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus.
## Frequently asked questions
### Do I need to turn EDR in block mode on even when I have Microsoft Defender Antivirus running on devices?
We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode gives you an added layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections.
We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode provides another layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections.
### Will EDR in block mode have any impact on a user's antivirus protection?
EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), except it also blocks and remediates malicious artifacts or behaviors that are detected.
### Why do I need to keep Microsoft Defender Antivirus up to date?
Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest device learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date.
Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date. For EDR in block mode to be effective, it uses the latest device learning models, behavioral detections, and heuristics. The [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner. To get best protection value, you should keep Microsoft Defender Antivirus up to date.
### Why do we need cloud protection on?
Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.
### How do I set Microsoft Defender Antivirus to passive mode?
See [Enable Microsoft Defender Antivirus and confirm it's in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
### How do I confirm Microsoft Defender Antivirus is in active or passive mode?
To confirm whether Microsoft Defender Antivirus is running in active or passive mode, you can use Command Prompt or PowerShell on a device running Windows.
#### Use PowerShell
1. Select the Start menu, begin typing `PowerShell`, and then open Windows PowerShell in the results.
2. Type `Get-MpComputerStatus`.
3. In the list of results, in the **AMRunningMode** row, look for one of the following values:
- `Normal`
- `Passive Mode`
- `SxS Passive Mode`
To learn more, see [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus).
#### Use Command Prompt
1. Select the Start menu, begin typing `Command Prompt`, and then open Windows Command Prompt in the results.
2. Type `sc query windefend`.
3. In the list of results, in the **STATE** row, confirm that the service is running.
## See also
- [Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617)

14
windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.date: 08/28/2020
ms.date: 01/06/2021
ms.reviewer:
manager: dansimp
---
@ -38,20 +38,20 @@ You can set mitigation in audit mode for specific programs either by using the W
### Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**.
3. Go to **Program settings** and choose the app you want to apply protection to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
1. If the app you want to configure is already listed, select it and then select **Edit**
2. If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
- Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
5. Repeat this procedure for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
### PowerShell

308
windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.date: 07/20/2020
ms.date: 01/06/2021
ms.reviewer: cjacks
manager: dansimp
ms.custom: asr
@ -223,7 +223,7 @@ Block low integrity images will prevent the application from loading files that
### Description
Block remote images will prevent the application from loading files that are hosted on a remote device, such as a UNC share. This helps protect against loading binaries into memory that are on an external device controlled by the attacker.
Blocking remote images helps to prevent the application from loading files that are hosted on a remote device, such as a UNC share. Blocking remote images helps protect against loading binaries into memory that are on an external device controlled by the attacker.
This mitigation will block image loads if the image is determined to be on a remote device. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a remote file, it will trigger a STATUS_ACCESS_DENIED error.
@ -257,7 +257,7 @@ The most common use of fonts outside of the system fonts directory is with [web
### Description
Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. This includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process.
Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. Code integrity guard includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process.
This mitigation is implemented within the memory manager, which blocks the binary from being mapped into memory. If you attempt to load a binary that is not signed by Microsoft, the memory manger will return the error STATUS_INVALID_IMAGE_HASH. By blocking at the memory manager level, this prevents both binaries loaded by the process and binaries injected into the process.
@ -275,9 +275,9 @@ This mitigation specifically blocks any binary that is not signed by Microsoft.
### Description
Control flow guard (CFG) mitigates the risk of attackers leveraging memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program).
Control flow guard (CFG) mitigates the risk of attackers using memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program).
This mitigation is provided by injecting an additional check at compile time. Before each indirect function call, additional instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation.
This mitigation is provided by injecting another check at compile time. Before each indirect function call, another instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation.
The check for a valid target is provided by the Windows kernel. When executable files are loaded, the metadata for indirect call targets is extracted at load time and marked as valid call targets. Additionally, when memory is allocated and marked as executable (such as for generated code), these memory locations are also marked as valid call targets, to support mechanisms such as JIT compilation.
@ -296,7 +296,7 @@ Since applications must be compiled to support CFG, they implicitly declare thei
### Description
Data execution prevention (DEP) prevents memory that was not explicitly allocated as executable from being executed. This helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code.
Data execution prevention (DEP) prevents memory that was not explicitly allocated as executable from being executed. DEP helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code.
If you attempt to set the instruction pointer to a memory address not marked as executable, the processor will throw an exception (general-protection violation), causing the application to crash.
@ -304,7 +304,7 @@ If you attempt to set the instruction pointer to a memory address not marked as
All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is assumed.
All x86 (32-bit) binaries will have DEP enabled by default, but it can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, may not be compatible with DEP. These are typically applications that dynamically generate code (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code.
All x86 (32-bit) binaries have DEP enabled by default, but DEP can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, might not be compatible with DEP. Such applications typically generate code dynamically (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code.
### Configuration options
@ -324,7 +324,7 @@ This includes:
### Compatibility considerations
Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third party Legacy IMEs that will not work with the protected application.
Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third-party Legacy IMEs that will not work with the protected application.
### Configuration options
@ -341,7 +341,7 @@ Win32k.sys provides a broad attack surface for an attacker. As a kernel-mode com
### Compatibility considerations
This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will leverage process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation.
This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will use process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation.
### Configuration options
@ -379,18 +379,18 @@ This mitigation is primarily an issue for applications such as debuggers, sandbo
### Configuration options
**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for additional commonly attacked modules:
**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for other commonly attacked modules:
- mshtml.dll
- flash*.ocx
- jscript*.ocx
- vbscript.dll
- vgx.dll
- mozjs.dll
- xul.dll
- acrord32.dll
- acrofx32.dll
- acroform.api
- `mshtml.dll`
- `flash*.ocx`
- `jscript*.ocx`
- `vbscript.dll`
- `vgx.dll`
- `mozjs.dll`
- `xul.dll`
- `acrord32.dll`
- `acrofx32.dll`
- `acroform.api`
Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the page containing the "MZ" header, the first two bytes of the [DOS header in a PE file](https://docs.microsoft.com/windows/win32/debug/pe-format#ms-dos-stub-image-only), which is another aspect of known memory content which shellcode can look for to identify modules potentially of interest in memory.
@ -400,7 +400,7 @@ Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection t
### Description
Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker leveraging techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose.
Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker using techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose.
Mandatory ASLR forces a rebase of all DLLs within the process. A developer can enable ASLR using the [/DYNAMICBASE](https://docs.microsoft.com/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019&preserve-view=true) linker option, and this mitigation has the same effect.
@ -427,31 +427,31 @@ The memory pages for all protected APIs will have the [PAGE_GUARD](https://docs.
This mitigation protects the following Windows APIs:
- GetProcAddress
- GetProcAddressForCaller
- LoadLibraryA
- LoadLibraryExA
- LoadLibraryW
- LoadLibraryExW
- LdrGetProcedureAddress
- LdrGetProcedureAddressEx
- LdrGetProcedureAddressForCaller
- LdrLoadDll
- VirtualProtect
- VirtualProtectEx
- VirtualAlloc
- VirtualAllocEx
- NtAllocateVirtualMemory
- NtProtectVirtualMemory
- CreateProcessA
- CreateProcessW
- WinExec
- CreateProcessAsUserA
- CreateProcessAsUserW
- GetModuleHandleA
- GetModuleHandleW
- RtlDecodePointer
- DecodePointer
- `GetProcAddress`
- `GetProcAddressForCaller`
- `LoadLibraryA`
- `LoadLibraryExA`
- `LoadLibraryW`
- `LoadLibraryExW`
- `LdrGetProcedureAddress`
- `LdrGetProcedureAddressEx`
- `LdrGetProcedureAddressForCaller`
- `LdrLoadDll`
- `VirtualProtect`
- `VirtualProtectEx`
- `VirtualAlloc`
- `VirtualAllocEx`
- `NtAllocateVirtualMemory`
- `NtProtectVirtualMemory`
- `CreateProcessA`
- `CreateProcessW`
- `WinExec`
- `CreateProcessAsUserA`
- `CreateProcessAsUserW`
- `GetModuleHandleA`
- `GetModuleHandleW`
- `RtlDecodePointer`
- `DecodePointer`
### Compatibility considerations
@ -471,7 +471,7 @@ The size of the 32-bit address space places practical constraints on the entropy
### Compatibility considerations
Most applications that are compatible with Mandatory ASLR (rebasing) will also be compatible with the additional entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4 GB), and thus will be incompatible with the high entropy option (which can be disabled).
Most applications that are compatible with Mandatory ASLR (rebasing) are also compatible with the other entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4 GB), and thus will be incompatible with the high entropy option (which can be disabled).
### Configuration options
@ -488,40 +488,40 @@ Simulate execution (SimExec) is a mitigation for 32-bit applications only. This
The APIs intercepted by this mitigation are:
- LoadLibraryA
- LoadLibraryW
- LoadLibraryExA
- LoadLibraryExW
- LdrLoadDll
- VirtualAlloc
- VirtualAllocEx
- NtAllocateVirtualMemory
- VirtualProtect
- VirtualProtectEx
- NtProtectVirtualMemory
- HeapCreate
- RtlCreateHeap
- CreateProcessA
- CreateProcessW
- CreateProcessInternalA
- CreateProcessInternalW
- NtCreateUserProcess
- NtCreateProcess
- NtCreateProcessEx
- CreateRemoteThread
- CreateRemoteThreadEx
- NtCreateThreadEx
- WriteProcessMemory
- NtWriteVirtualMemory
- WinExec
- CreateFileMappingA
- CreateFileMappingW
- CreateFileMappingNumaW
- NtCreateSection
- MapViewOfFile
- MapViewOfFileEx
- MapViewOfFileFromApp
- LdrGetProcedureAddressForCaller
- `LoadLibraryA`
- `LoadLibraryW`
- `LoadLibraryExA`
- `LoadLibraryExW`
- `LdrLoadDll`
- `VirtualAlloc`
- `VirtualAllocEx`
- `NtAllocateVirtualMemory`
- `VirtualProtect`
- `VirtualProtectEx`
- `NtProtectVirtualMemory`
- `HeapCreate`
- `RtlCreateHeap`
- `CreateProcessA`
- `CreateProcessW`
- `CreateProcessInternalA`
- `CreateProcessInternalW`
- `NtCreateUserProcess`
- `NtCreateProcess`
- `NtCreateProcessEx`
- `CreateRemoteThread`
- `CreateRemoteThreadEx`
- `NtCreateThreadEx`
- `WriteProcessMemory`
- `NtWriteVirtualMemory`
- `WinExec`
- `CreateFileMappingA`
- `CreateFileMappingW`
- `CreateFileMappingNumaW`
- `NtCreateSection`
- `MapViewOfFile`
- `MapViewOfFileEx`
- `MapViewOfFileFromApp`
- `LdrGetProcedureAddressForCaller`
If a ROP gadget is detected, the process is terminated.
@ -543,40 +543,40 @@ Validate API invocation (CallerCheck) is a mitigation for return-oriented progra
The APIs intercepted by this mitigation are:
- LoadLibraryA
- LoadLibraryW
- LoadLibraryExA
- LoadLibraryExW
- LdrLoadDll
- VirtualAlloc
- VirtualAllocEx
- NtAllocateVirtualMemory
- VirtualProtect
- VirtualProtectEx
- NtProtectVirtualMemory
- HeapCreate
- RtlCreateHeap
- CreateProcessA
- CreateProcessW
- CreateProcessInternalA
- CreateProcessInternalW
- NtCreateUserProcess
- NtCreateProcess
- NtCreateProcessEx
- CreateRemoteThread
- CreateRemoteThreadEx
- NtCreateThreadEx
- WriteProcessMemory
- NtWriteVirtualMemory
- WinExec
- CreateFileMappingA
- CreateFileMappingW
- CreateFileMappingNumaW
- NtCreateSection
- MapViewOfFile
- MapViewOfFileEx
- MapViewOfFileFromApp
- LdrGetProcedureAddressForCaller
- `LoadLibraryA`
- `LoadLibraryW`
- `LoadLibraryExA`
- `LoadLibraryExW`
- `LdrLoadDll`
- `VirtualAlloc`
- `VirtualAllocEx`
- `NtAllocateVirtualMemory`
- `VirtualProtect`
- `VirtualProtectEx`
- `NtProtectVirtualMemory`
- `HeapCreate`
- `RtlCreateHeap`
- `CreateProcessA`
- `CreateProcessW`
- `CreateProcessInternalA`
- `CreateProcessInternalW`
- `NtCreateUserProcess`
- `NtCreateProcess`
- `NtCreateProcessEx`
- `CreateRemoteThread`
- `CreateRemoteThreadEx`
- `NtCreateThreadEx`
- `WriteProcessMemory`
- `NtWriteVirtualMemory`
- `WinExec`
- `CreateFileMappingA`
- `CreateFileMappingW`
- `CreateFileMappingNumaW`
- `NtCreateSection`
- `MapViewOfFile`
- `MapViewOfFileEx`
- `MapViewOfFileFromApp`
- `LdrGetProcedureAddressForCaller`
If a ROP gadget is detected, the process is terminated.
@ -594,7 +594,7 @@ This mitigation is incompatible with the Arbitrary Code Guard mitigation.
### Description
Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured exception handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can leverage a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice.
Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured exception handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can use a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice.
This mitigation relies on the design of SEH, where each SEH entry contains both a pointer to the exception handler, as well as a pointer to the next handler in the exception chain. This mitigation is called by the exception dispatcher, which validates the SEH chain when an exception is invoked. It verifies that:
@ -619,7 +619,7 @@ Compatibility issues with SEHOP are relatively rare. It's uncommon for an applic
### Description
*Validate handle usage* is a mitigation that helps protect against an attacker leveraging an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE).
*Validate handle usage* is a mitigation that helps protect against an attacker using an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE).
This mitigation is automatically applied to Windows Store applications.
@ -639,7 +639,7 @@ Applications that were not accurately tracking handle references, and which were
The *validate heap integrity* mitigation increases the protection level of heap mitigations in Windows, by causing the application to terminate if a heap corruption is detected. The mitigations include:
- Preventing a HEAP handle from being freed
- Performing additional validation on extended block headers for heap allocations
- Performing another validation on extended block headers for heap allocations
- Verifying that heap allocations are not already flagged as in-use
- Adding guard pages to large allocations, heap segments, and subsegments above a minimum size
@ -672,48 +672,48 @@ Compatibility issues are uncommon. Applications that depend on replacing Windows
The *validate stack integrity (StackPivot)* mitigation helps protect against the Stack Pivot attack, a ROP attack where an attacker creates a fake stack in heap memory, and then tricks the application into returning into the fake stack that controls the flow of execution.
This mitigation intercepts a number of Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated.
This mitigation intercepts many Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated.
The APIs intercepted by this mitigation are:
- LoadLibraryA
- LoadLibraryW
- LoadLibraryExA
- LoadLibraryExW
- LdrLoadDll
- VirtualAlloc
- VirtualAllocEx
- NtAllocateVirtualMemory
- VirtualProtect
- VirtualProtectEx
- NtProtectVirtualMemory
- HeapCreate
- RtlCreateHeap
- CreateProcessA
- CreateProcessW
- CreateProcessInternalA
- CreateProcessInternalW
- NtCreateUserProcess
- NtCreateProcess
- NtCreateProcessEx
- CreateRemoteThread
- CreateRemoteThreadEx
- NtCreateThreadEx
- WriteProcessMemory
- NtWriteVirtualMemory
- WinExec
- CreateFileMappingA
- CreateFileMappingW
- CreateFileMappingNumaW
- NtCreateSection
- MapViewOfFile
- MapViewOfFileEx
- MapViewOfFileFromApp
- LdrGetProcedureAddressForCaller
- `LoadLibraryA`
- `LoadLibraryW`
- `LoadLibraryExA`
- `LoadLibraryExW`
- `LdrLoadDll`
- `VirtualAlloc`
- `VirtualAllocEx`
- `NtAllocateVirtualMemory`
- `VirtualProtect`
- `VirtualProtectEx`
- `NtProtectVirtualMemory`
- `HeapCreate`
- `RtlCreateHeap`
- `CreateProcessA`
- `CreateProcessW`
- `CreateProcessInternalA`
- `CreateProcessInternalW`
- `NtCreateUserProcess`
- `NtCreateProcess`
- `NtCreateProcessEx`
- `CreateRemoteThread`
- `CreateRemoteThreadEx`
- `NtCreateThreadEx`
- `WriteProcessMemory`
- `NtWriteVirtualMemory`
- `WinExec`
- `CreateFileMappingA`
- `CreateFileMappingW`
- `CreateFileMappingNumaW`
- `NtCreateSection`
- `MapViewOfFile`
- `MapViewOfFileEx`
- `MapViewOfFileFromApp`
- `LdrGetProcedureAddressForCaller`
### Compatibility considerations
Applications that are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications.
Applications that are using fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications.
Applications that perform API interception, particularly security software, can cause compatibility problems with this mitigation.
This mitigation is incompatible with the Arbitrary Code Guard mitigation.

74
windows/security/threat-protection/microsoft-defender-atp/gov.md
View File

@ -45,21 +45,21 @@ Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/44
Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows 10, version 1803 | ![No](../images/svg/check-no.svg) Coming soon | ![Yes](../images/svg/check-yes.svg) With [KB4499183](https://support.microsoft.com/help/4499183)
Windows 10, version 1709 | ![No](../images/svg/check-no.svg)<br>Note: Will not be supported | ![Yes](../images/svg/check-yes.svg) With [KB4499147](https://support.microsoft.com/help/4499147)<br>Note: Will be deprecated, please upgrade
Windows 10, version 1803 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg) With [KB4499183](https://support.microsoft.com/help/4499183)
Windows 10, version 1709 | ![No](../images/svg/check-no.svg)<br>Note: Will not be supported | ![Yes](../images/svg/check-yes.svg) With [KB4499147](https://support.microsoft.com/help/4499147)<br>Note: [Deprecated](https://docs.microsoft.com/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade
Windows 10, version 1703 and earlier | ![No](../images/svg/check-no.svg)<br>Note: Will not be supported | ![No](../images/svg/check-no.svg)<br>Note: Will not be supported
Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows Server 2016 | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Windows Server 2012 R2 | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Windows Server 2008 R2 SP1 | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Windows 8.1 Enterprise | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Windows 8 Pro | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Windows 7 SP1 Enterprise | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Windows 7 SP1 Pro | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Mac OS | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Linux | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
iOS | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Android | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Windows Server 2016 | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Windows Server 2012 R2 | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Windows Server 2008 R2 SP1 | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Windows 8.1 Enterprise | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Windows 8 Pro | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Windows 7 SP1 Enterprise | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Windows 7 SP1 Pro | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Linux | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development
macOS | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development
Android | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
iOS | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
> [!NOTE]
> A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment.
@ -69,9 +69,9 @@ The following OS versions are supported when using [Azure Defender for Servers](
OS version | GCC | GCC High
:---|:---|:---
Windows Server 2016 | ![No](../images/svg/check-no.svg) Coming soon | ![Yes](../images/svg/check-yes.svg)
Windows Server 2012 R2 | ![No](../images/svg/check-no.svg) Coming soon | ![Yes](../images/svg/check-yes.svg)
Windows Server 2008 R2 SP1 | ![No](../images/svg/check-no.svg) Coming soon | ![Yes](../images/svg/check-yes.svg)
Windows Server 2016 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg)
Windows Server 2012 R2 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg)
Windows Server 2008 R2 SP1 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg)
<br>
@ -106,24 +106,24 @@ These are the known gaps as of January 2021:
Feature name | GCC | GCC High
:---|:---|:---
Threat analytics | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Threat & vulnerability management | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Automated investigation and remediation: Response to Office 365 alerts | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Automated investigation and remediation: Live response | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Management and APIs: Threat protection report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Management and APIs: Device health and compliance report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Management and APIs: Streaming API | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Management and APIs: Integration with third-party products | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Email notifications | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Evaluation lab | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Web content filtering | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Integrations: Azure Sentinel | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Integrations: Microsoft Cloud App Security | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Integrations: Microsoft Compliance Center | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Integrations: Microsoft Defender for Identity | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Integrations: Microsoft Defender for Office 365 | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Integrations: Microsoft Intune | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Integrations: Microsoft Power Automate & Azure Logic Apps | ![No](../images/svg/check-no.svg) Coming soon | ![No](../images/svg/check-no.svg)
Integrations: Skype for Business / Teams | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg)
Microsoft Threat Experts | ![No](../images/svg/check-no.svg) | ![No](../images/svg/check-no.svg)
Automated investigation and remediation: Live response | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Automated investigation and remediation: Response to Office 365 alerts | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Email notifications | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Evaluation lab | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Management and APIs: Device health and compliance report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Management and APIs: Integration with third-party products | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Management and APIs: Streaming API | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Management and APIs: Threat protection report | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Threat & vulnerability management | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Threat analytics | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Web content filtering | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development
Integrations: Azure Sentinel | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Integrations: Microsoft Cloud App Security | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Integrations: Microsoft Compliance Center | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Integrations: Microsoft Defender for Identity | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Integrations: Microsoft Defender for Office 365 | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Integrations: Microsoft Intune | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Integrations: Microsoft Power Automate & Azure Logic Apps | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Integrations: Skype for Business / Teams | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Microsoft Threat Experts | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog

9
windows/security/threat-protection/microsoft-defender-atp/network-protection.md
View File

@ -11,7 +11,6 @@ ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.date: 04/30/2019
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -33,7 +32,7 @@ Network protection expands the scope of [Microsoft Defender SmartScreen](../micr
Network protection is supported beginning with Windows 10, version 1709.
For more details about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
For more information about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
> [!TIP]
> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
@ -46,7 +45,7 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network
## Requirements
Network protection requires Windows 10 Pro, Enterprise E3, E5 and Microsoft Defender AV real-time protection.
Network protection requires Windows 10 Pro, Enterprise E3, E5, and Microsoft Defender AV real-time protection.
Windows 10 version | Microsoft Defender Antivirus
-|-
@ -76,7 +75,7 @@ You can review the Windows event log to see events that are created when network
1. [Copy the XML directly](event-views.md).
2. Click **OK**.
2. Select **OK**.
3. This will create a custom view that filters to only show the following events related to network protection:
@ -88,6 +87,6 @@ You can review the Windows event log to see events that are created when network
## Related articles
- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrates how the feature works, and what events would typically be created.
- [Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.

9
windows/security/threat-protection/microsoft-defender-atp/onboarding.md
View File

@ -43,6 +43,15 @@ These are the steps you need to take to deploy Defender for Endpoint:
## Step 1: Onboard endpoints using any of the supported management tools
The [Plan deployment](deployment-strategy.md) topic outlines the general steps you need to take to deploy Defender for Endpoint.
Watch this video for a quick overview of the onboarding process and learn about the available tools and methods.
<br />
<br />
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr]
After identifying your architecture, you'll need to decide which deployment method to use. The deployment tool you choose influences how you onboard endpoints to the service.
### Onboarding tool options

5
windows/security/threat-protection/microsoft-defender-atp/use.md
View File

@ -36,6 +36,11 @@ Use the **Threat & Vulnerability Management** dashboard to expand your visibilit
Use the **Threat analytics** dashboard to continually assess and control risk exposure to Spectre and Meltdown.
## Microsoft Defender for Endpoint interactive guide
In this interactive guide, you'll learn how to investigate threats to your organization with Microsoft Defender for Endpoint. You'll see how Microsoft Defender for Endpoint can help you identify suspicious activities, investigate risks to your organization, and remediate threats.
> [!VIDEO https://aka.ms/MSDE-IG]
### In this section
Topic | Description

6
windows/security/threat-protection/windows-defender-application-control/TOC.md
View File

@ -21,6 +21,12 @@
##### [Create a WDAC policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md)
##### [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md)
##### [Create a WDAC policy for fixed-workload devices](create-initial-default-policy.md)
##### [Microsoft recommended block rules](microsoft-recommended-block-rules.md)
#### [Using the WDAC Wizard tool](wdac-wizard.md)
##### [Create a base WDAC policy with the Wizard](wdac-wizard-create-base-policy.md)
##### [Create a supplemental WDAC policy with the Wizard](wdac-wizard-create-supplemental-policy.md)
##### [Editing a WDAC policy with the Wizard](wdac-wizard-editing-policy.md)
##### [Merging multiple WDAC policies with the Wizard](wdac-wizard-merging-policies.md)
## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md)

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-confirm-base-policy-modification.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-file-attribute-rule.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 149 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-publisher-rule.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 164 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-edit-policy-rules.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-edit-remove-file-rule.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-merge.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-rule-options-UI-advanced-collapsed.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-rule-options-UI.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 111 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-expandable.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-base.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-policy-rule-options-UI.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-template-selection.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 120 KiB

138
windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md Normal file
View File

@ -0,0 +1,138 @@
---
title: Windows Defender Application Control Wizard Base Policy Creation
description: Creating new base application control policies with the Microsoft Windows Defender Application (WDAC) Wizard.
keywords: allow listing, block listing, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jgeurten
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.topic: conceptual
ms.date: 10/14/2020
---
# Creating a new Base Policy with the Wizard
**Applies to**
- Windows 10
- Windows Server 2016 and above
When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start with a template policy and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules.
## Template Base Policies
Each of the template policies has a unique set of policy allow list rules that will affect the circle-of-trust and security model of the policy. The following table lists the policies in increasing order of trust and freedom. For instance, the Default Windows mode policy trusts fewer application publishers and signers than the Signed and Reputable mode policy. The Default Windows policy will have a smaller circle-of-trust with better security than the Signed and Reputable policy, but at the expense of compatibility.
| Template Base Policy | Description |
|---------------------------------|-------------------------------------------------------------------|
| **Default Windows Mode** | Default Windows mode will authorize the following components: </br><ul><li>Windows operating components - any binary installed by a fresh install of Windows</li><li>Apps installed from the Microsoft Store</li><li>Microsoft Office365 apps, OneDrive, and Microsoft Teams</li><li>Third-party [Windows Hardware Compatible drivers](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature)</li></ul>|
| **Allow Microsoft Mode** | Allow mode will authorize the following components: </br><ul><li>Windows operating components - any binary installed by a fresh install of Windows</li><li>Apps installed from the Microsoft Store</li><li>Microsoft Office365 apps, OneDrive, and Microsoft Teams</li><li>Third-party [Windows Hardware Compatible drivers](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature)</li><li>*All Microsoft-signed software*</li></ul>|
| **Signed and Reputable Mode** | Signed and Reputable mode will authorize the following components: </br><ul><li>Windows operating components - any binary installed by a fresh install of Windows</li><li>Apps installed from the Microsoft Store</li><li>Microsoft Office365 apps, OneDrive, and Microsoft Teams</li><li>Third-party [Windows Hardware Compatible drivers](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature)</li><li>All Microsoft-signed software</li><li>*Files with good reputation per [Microsoft Defender's Intelligent Security Graph technology](use-windows-defender-application-control-with-intelligent-security-graph.md)*</li></ul>|
*Italicized content denotes the changes in the current policy with respect to the policy prior.*
More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example WDAC base policies article](example-wdac-base-policies.md).
![Selecting a base template for the policy](images/wdac-wizard-template-selection.png)
Once the base template is selected, give the policy a name and choose where to save the application control policy on disk.
## Configuring Policy Rules
Upon page launch, policy rules will be automatically enabled/disabled depending on the chosen template from the previous page. Choose to enable or disable the desired policy rule options by pressing the slider button next to the policy rule titles. A short description of each rule will appear at the bottom of the page when the mouse hovers over the rule title.
### Policy Rules Description
A description of each policy rule, beginning with the left-most column, is provided below. The [Policy rules article](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules) provides a full description of each policy rule.
| Rule option | Description |
|------------ | ----------- |
| **Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. |
| **Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. |
| **Disable Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 is not supported and may have unintended results. |
|**[Hypervisor-protected code integrity (HVCI)](https://docs.microsoft.com/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)**| When enabled, policy enforcement uses virtualization-based security to run the code integrity service inside a secure environment. HVCI provides stronger protections against kernel malware.|
| **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsofts Intelligent Security Graph (ISG). |
| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
| **Require WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10compatible driver must be WHQL certified. |
| **Update Policy without Rebooting** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
| **Unsigned System Integrity Policy** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. |
| **User Mode Code Integrity** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. |
> [!div class="mx-imgBorder"]
> ![Rule options UI for Windows Allowed mode policy](images/wdac-wizard-rule-options-UI-advanced-collapsed.png)
### Advanced Policy Rules Description
Selecting the **+ Advanced Options** label will show another column of policy rules; advanced policy rules. A description of each policy rule is provided below.
| Rule option | Description |
|------------ | ----------- |
| **Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
| **Disable Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flight/preview-signed builds. |
| **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path thats only writable by an administrator) for any FileRule that allows a file based on FilePath. |
| **Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries (DLLs). |
| **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.|
| **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. |
![Rule options UI for Windows Allowed mode](images/wdac-wizard-rule-options-UI.png)
> [!NOTE]
> We recommend that you **enable Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. For this reason, all templates have Audit Mode enabled by default.
## Creating custom file rules
[File rules](select-types-of-rules-to-create.md#windows-defender-application-control-file-rule-levels) in an application control policy will specify the level at which applications will be identified and trusted. File rules are the main mechanism for defining trust in the application control policy. Selecting the **+ Custom Rules** will open the custom file rule conditions panel to create custom file rules for your policy. The Wizard supports four types of file rules:
### Publisher Rules
The Publisher file rule type uses properties in the code signing certificate chain to base file rules. Once the file to base the rule off of, called the *reference file*, is selected, use the slider to indicate the specificity of the rule. The table below shows the relationship between the slider placement, the corresponding WDAC rule level and its description. The lower the placement on the table and the UI slider, the greater the specificity of the rule.
| Rule Condition | WDAC Rule Level | Description |
|------------ | ----------- | ----------- |
| **Issuing CA** | PCACertificate | Highest available certificate is added to the signers. This is typically the PCA certificate, one level below the root certificate. Any file signed by this certificate will be affected. |
| **Publisher** | Publisher | This rule is a combination of the PCACertificate rule and the common name (CN) of the leaf certificate. Any file signed by a major CA but with a leaf from a specific company, for example a device driver corp, is affected. |
| **File version** | SignedVersion | This rule is a combination of PCACertificate, publisher, and a version number. Anything from the specified publisher with a version at or above the one specified is affected. |
| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate as well as a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
![Custom filepublisher file rule creation](images/wdac-wizard-custom-publisher-rule.png)
### Filepath Rules
Filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button.
### File Attribute Rules
The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#windows-defender-application-control-filename-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name parameter. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The table below describes each of the supported file attributes off which to create a rule.
| Rule level | Description |
|------------ | ----------- |
| **Original Filename** | Specifies the original file name, or the name with which the file was first created, of the binary. |
| **File description** | Specifies the file description provided by the developer of the binary. |
| **Product name** | Specifies the name of the product with which the binary ships. |
| **Internal name** | Specifies the internal name of the binary. |
> [!div class="mx-imgBorder"]
> ![Custom file attributes rule](images/wdac-wizard-custom-file-attribute-rule.png)
### File Hash Rules
Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule cannot be created using the specified file rule level.
#### Deleting Signing Rules
The policy signing rules list table on the left of the page will document the allow and deny rules in the template, as well as any custom rules you create. Template signing rules and custom rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. you will be prompted for additional confirmation. Select `Yes` to remove the rule from the policy and the rules table.
## Up next
- [Editing a WDAC policy using the Wizard](wdac-wizard-editing-policy.md)

111
windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md Normal file
View File

@ -0,0 +1,111 @@
---
title: Windows Defender Application Control Wizard Supplemental Policy Creation
description: Creating supplemental application control policies with the WDAC Wizard.
keywords: allowlisting, blocklisting, security, malware, supplemental policy
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jgeurten
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.topic: conceptual
ms.date: 10/14/2020
---
# Creating a new Supplemental Policy with the Wizard
**Applies to**
- Windows 10
- Windows Server 2016 and above
Beginning in Windows 10 version 1903, WDAC supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When using supplemental policies, applications allowed by the base or its supplemental policy/policies will be allowed to execute.
Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a supplemental application control policy, configure the policy options, and the signer and file rules.
## Expanding a Base Policy
Once the Supplemental Policy type is chosen on the New Policy page, policy name and file dialog fields can be used to name and save the supplemental policy. The next step requires selecting a base policy to expand. To expand a base policy, the base must allow supplemental policies. The WDAC Wizard will verify if the base policy allows supplementals and will show the following confirmation.
![Base policy allows supplemental policies](images/wdac-wizard-supplemental-expandable.png)
If the base policy is not configured for supplemental policies, the Wizard will attempt to convert the policy to one that can be supplemented. Once successful, the Wizard will show a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed.
![Wizard confirms modification of base policy](images/wdac-wizard-confirm-base-policy-modification.png)
Policies that cannot be supplemented, for instance, a supplemental policy, will be detected by the Wizard and will show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-windows-defender-application-control-policies.md).
![Wizard detects a bad base policy](images/wdac-wizard-supplemental-not-base.png)
## Configuring Policy Rules
Upon page launch, policy rules will be automatically enabled/disabled depending on the chosen base policy from the previous page. Most of the supplemental policy rules must be inherited from the base policy. The Wizard will automatically parse the base policy and set the required supplemental policy rules to match the base policy rules. Inherited policy rules will be grayed out and will not be modifiable in the user interface.
A short description of the rule will be shown at the bottom of the page when the cursor is placed on the rule title.
### Configurable Supplemental Policy Rules Description
There are only three policy rules that can be configured by the supplemental policy. A description of each policy rule, beginning with the left-most column, is provided below. Selecting the **+ Advanced Options** label will show another column of policy rules; advanced policy rules.
| Rule option | Description |
|------------ | ----------- |
| **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsofts Intelligent Security Graph (ISG). |
| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
| **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path thats only writable by an administrator) for any FileRule that allows a file based on FilePath. |
![Rule options UI for Windows Allowed mode](images/wdac-wizard-supplemental-policy-rule-options-UI.png)
## Creating custom file rules
File rules in an application control policy will specify the level at which applications will be identified and trusted. File rules are the main mechanism for defining trust in the application control policy. Selecting the **+ Custom Rules** will open the custom file rule conditions panel to create and customize targeted file rules for your policy. The Wizard supports four types of file rules:
### Publisher Rules
The Publisher file rule type uses properties in the code signing certificate chain to base file rules. Once the file to base the rule off of, called the *reference file*, is selected, use the slider to indicate the specificity of the rule. The table below shows the relationship between the slider placement, the corresponding WDAC rule level, and its description. The lower the placement on the table and the UI slider, the greater the specificity of the rule.
| Rule Condition | WDAC Rule Level | Description |
|------------ | ----------- | ----------- |
| **Issuing CA** | PCACertificate | Highest available certificate is added to the signers. This certificate is typically the PCA certificate, one level below the root certificate. Any file signed by this certificate will be affected. |
| **Publisher** | Publisher | This rule is a combination of the PCACertificate rule and the common name (CN) of the leaf certificate. Any file signed by a major CA but with a leaf from a specific company, for example a device driver publisher, is affected. |
| **File version** | SignedVersion | This rule is a combination of the PCACertificate and Publisher rule, and a version number. Anything from the specified publisher with a version at or above the one specified is affected. |
| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
![Custom filepublisher file rule creation](images/wdac-wizard-custom-publisher-rule.png)
### Filepath Rules
Filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button.
### File Attribute Rules
The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#windows-defender-application-control-filename-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The table below describes each of the supported file attributes off which to create a rule.
| Rule level | Description |
|------------ | ----------- |
| **Original Filename** | Specifies the original file name, or the name with which the file was first created, of the binary. |
| **File description** | Specifies the file description provided by the developer of the binary. |
| **Product name** | Specifies the name of the product with which the binary ships. |
| **Internal name** | Specifies the internal name of the binary. |
![Custom file attributes rule](images/wdac-wizard-custom-file-attribute-rule.png)
### File Hash Rules
Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause extra administrative overhead to maintain the current product versions hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule cannot be created using the specified file rule level.
#### Deleting Signing Rules
The table on the left of the page will document the allow and deny rules in the template, and any custom rules you create. Rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. you will be prompted for additional confirmation. Select `Yes` to remove the rule from the policy and the rules table.
## Up next
- [Editing a WDAC policy using the Wizard](wdac-wizard-editing-policy.md)

72
windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Editing Windows Defender Application Control Policies with the Wizard
description: Editing existing base and supplemental policies with the Microsoft WDAC Wizard.
keywords: allowlisting, blocklisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jgeurten
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.topic: conceptual
ms.date: 10/14/2020
---
# Editing existing base and supplemental WDAC policies with the Wizard
**Applies to**
- Windows 10
- Windows Server 2016 and above
The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShell cmdlets or manually. The Wizard currently supports the following editing capabilities:
<ul>
<li>[Configuring policy rules](#configuring-policy-rules)</li>
<li>[Adding new allow or block file rules to existing policies](#adding-file-rules)</li>
<li>[Removing allow or block file rules on existing policies](#removing-file-rules)</li>
</ul>
## Configuring Policy Rules
The `Policy Rules` page will load with the in-edit policy rules configured per the set rules. Selecting the `+ Advanced Options` button will reveal the advanced policy rule options panel. This grouping of rules contains additional policy rule options that are less common to the majority of users. To edit any of the rules, flip the corresponding policy rule state. For instance, to disable Audit Mode and enable Enforcement Mode in the figure below, the button beside the `Audit Mode` label needs only to be pressed. Once the policy rules are configured, select the Next button to continue the next stage of editing: [Adding File Rules](#adding-file-rules).
![Configuring the policy rules](images/wdac-wizard-edit-policy-rules.png)
A description of the policy rule is shown at the bottom of the page when the cursor is placed over the rule title. For a complete list of the policy rules and their capabilities, see the [Windows Defender Application Control policy rules table](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules).
## Adding File Rules
The WDAC Wizard allows users to add rules to their existing policy seamlessly. Previously, this would have involved creating a new policy with the new rules and merging it with the existing policy.
Selecting the `+ Custom Rules` button will open the Custom Rules panel. For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](wdac-wizard-create-base-policy.md#creating-custom-file-rules).
## Removing File Rules
The WDAC Wizard makes deleting file rules from an existing policy quick and easy. To remove any type of file rule: publisher rule, path rule, filename rule, or a hash rule, select the rule in the `Policy Signing Rules List` table on the left-hand side of the page. Selecting the rule will highlight the entire row. Once the row is highlighted, select the remove icon underneath the table. The Wizard will prompt for user confirmation before removing the file rule. Once removed, the rule will no longer appear in the policy or the table.
![Removing file rule from policy during edit](images/wdac-wizard-edit-remove-file-rule.png)
**Note:** removing a publisher rule will also remove the associated File Attribute rules. For instance, in the xml block below, removing ID_SIGNER_CONTOSO_PUBLISHER would also remove the rules ID_FILEATTRIB_LOB_APP_1 and ID_FILEATTRIB_LOB_APP_2.
```xml
<Signer ID="ID_SIGNER_CONTOSO_PUBLISHER" Name="Contoso LOB Publisher CA">
<CertRoot Type="TBS" Value="0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF" />
<CertPublisher Value="Contoso IT Dept App Publisher" />
<FileAttribRef RuleID="ID_FILEATTRIB_LOB_APP_1" />
<FileAttribRef RuleID="ID_FILEATTRIB_LOB_APP_2" />
```
[comment]: <> (## Editing File Rules Coming soon!)
### Policy Creation
Once the policy is created, the new policy will be written to the same path as the in-edit policy. The new policy file name will have the policy version appended to the end of the file name. For instance, if the in-edit policy is saved at MyDocuments\BasePolicy.xml, after edit, the new policy will be saved at MyDocuments\BasePolicy_v10.0.0.1.xml.
## Up next
- [Merging WDAC policies using the Wizard](wdac-wizard-merging-policies.md)

32
windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md Normal file
View File

@ -0,0 +1,32 @@
---
title: Windows Defender Application Control Wizard Policy Merging Operation
description: Merging multiple policies into a single application control policy with the Microsoft WDAC Wizard.
keywords: allowlisting, blocklisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jgeurten
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.topic: conceptual
ms.date: 10/14/2020
---
# Merging existing policies with the WDAC Wizard
Beginning in Windows 10 version 1903, WDAC supports multiple policies. Before version 1903, however, Windows 10 could only have one WDAC policy. Consequently, users were required to merge multiple WDAC policies into one. The WDAC Wizard has a simple to use user interface to allow users to merge multiple WDAC policies. The Wizard can support up to 15 policy files as input during the merge workflow.
Select the policies you wish to merge into one policy using the `+ Add Policy` button under the table. Once added, policies will be enumerated within the table. To remove a policy from the table, if accidentally added, highlight the policy row and select the `- Remove Policy` button. Confirmation will be required before the policy is withdrawn from the table.
> [!NOTE]
> The policy type and ID of the final output policy will be determined based on the type and ID of the **first policy** in the policy list table. For instance, if a legacy policy format policy and a multi-policy format policy are merged together, the output format of the policy will be whichever policy is specified first in the table. For more information on policy formats, visit the [Multiple WDAC Policies page](deploy-multiple-windows-defender-application-control-policies.md).
Lastly, select a filepath save location for the final merged policy using the `Browse` button. If a minimum of two policies are selected, and the save location is specified, select the `Next` button to build the policy.
![Merging WDAC policies into a final WDAC policy](images/wdac-wizard-merge.png)

50
windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md Normal file
View File

@ -0,0 +1,50 @@
---
title: Windows Defender Application Control Wizard
description: Microsoft Defender Application Control Wizard (WDAC) Wizard allows users to create, edit, and merge application control policies in a simple to use Windows application.
keywords: allowlisting, blocklisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jgeurten
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.topic: conceptual
ms.date: 10/14/2020
---
# Windows Defender Application Control Wizard
**Applies to:**
- Windows 10
- Windows Server 2016 and above
The Windows Defender Application Control (WDAC) policy Wizard is an open source Windows desktop application written in C# and bundled as an MSIX package. The Wizard was built to provide security architects, security and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The Wizard desktop application uses the [ConfigCI PowerShell Cmdlets](https://docs.microsoft.com/powershell/module/configci) in the backend so the output policy of the Wizard and PowerShell cmdlets is identical.
## Downloading the application
The WDAC Wizard can be downloaded from the official [Wizard installer website](https://bit.ly/3koHwYs) as an MSIX packaged application. The Wizard's source code is available as part of Microsoft's Open Source Software offerings on GitHub at the [WDAC Wizard Repo](https://github.com/MicrosoftDocs/WDAC-Toolkit).
**Supported Clients**
As the WDAC Wizard uses the cmdlets in the background, the Wizard is functional on clients only where the cmdlets are supported as outlined in [WDAC feature availability](feature-availability.md). Specifically, the tool will verify that the client meets one of the following requirements:
- Windows builds 1909+
- For pre-1909 builds, the Enterprise SKU of Windows is installed
If neither requirement is satisfied, the Wizard will throw an error as the cmdlets are not available.
## In this section
| Topic | Description |
| - | - |
| [Creating a new base policy](wdac-wizard-create-base-policy.md) | This article describes how to create a new base policy using one of the supplied policy templates. |
| [Creating a new supplemental policy](wdac-wizard-create-supplemental-policy.md) | This article describes the steps necessary to create a supplemental policy, from one of the supplied templates, for an existing base policy. |
| [Editing a base or supplemental policy](wdac-wizard-editing-policy.md) | This article demonstrates how to modify an existing policy and the Wizard's editing capabilities. |
| [Merging policies](wdac-wizard-merging-policies.md) | This article describes how to merge policies into a single application control policy. |

1
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
View File

@ -45,5 +45,6 @@ Once these business factors are in place, you are ready to begin planning your W
| [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
| [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. |
| [Policy creation for common WDAC usage scenarios](types-of-devices.md) | This set of topics outlines common use case scenarios and helps you begin to develop a plan for deploying WDAC in your organization. |
| [Policy creation using the WDAC Wizard tool](wdac-wizard.md) | This set of topics describes how to use the WDAC Wizard desktop app to easily create, edit and merge WDAC policies. |
After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.

34
windows/whats-new/whats-new-windows-10-version-2004.md
View File

@ -30,8 +30,11 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings
### Windows Hello
- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#windows-hello-pin-in-safe-mode-build-18995).
- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
### Windows Defender System Guard
@ -52,7 +55,7 @@ Note: [Application Guard for Office](https://support.office.com/article/applicat
### Windows Setup
Windows Setup [answer files](https://docs.microsoft.com/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language ](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/).
Windows Setup [answer files](https://docs.microsoft.com/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language handling](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/).
Improvements in Windows Setup with this release also include:
- Reduced offline time during feature updates
@ -84,7 +87,7 @@ Also see [What's new in Microsoft Intune](https://docs.microsoft.com/mem/intune/
### Windows Assessment and Deployment Toolkit (ADK)
Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 here: [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004).
@ -120,8 +123,11 @@ The following [Delivery Optimization](https://docs.microsoft.com/windows/deploym
### Windows Update for Business
[Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include:
- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds.
- Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue leveraging deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**). For more information about this change, see [Simplified Windows Update settings for end users](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplified-windows-update-settings-for-end-users/ba-p/1497215).
## Networking
@ -185,9 +191,13 @@ Several enhancements to the Windows 10 user interface are implemented in this re
### Cortana
[Cortana](https://www.microsoft.com/cortana) has been updated and enhanced in Windows 10, version 2004:
- Productivity: chat-based UI gives you the ability to [interact with Cortana using typed or spoken natural language queries](https://support.microsoft.com/help/4557165) to easily get information across Microsoft 365 and stay on track. Productivity focused capabilities such as finding people profiles, checking schedules, joining meetings, and adding to lists in Microsoft To Do are currently available to English speakers in the US.
- In the coming months, with regular app updates through the Microsoft Store, well enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users.
- Security: tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tightened access, some consumer skills including music, connected home, and third-party skills will no longer be available. Additionally, users [get cloud-based assistance services that meet Office 365s enterprise-level privacy, security, and compliance promises](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide) as set out in the Online Services Terms.
- Move the Cortana window: drag the Cortana window to a more convenient location on your desktop.
For updated information, see the [Microsoft 365 blog](https://aka.ms/CortanaUpdatesMay2020).
@ -246,13 +256,13 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha
## See Also
[Whats new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.<br>
[Whats new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.<br>
[What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.<br>
[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.<br>
[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See whats new in other versions of Windows 10.<br>
[Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.<br>
[What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses.<br>
[What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.<br>
[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.<br>
[Windows 10 features were no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.<br>
- [Whats new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.<br>
- [Whats new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.<br>
- [What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.<br>
- [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.<br>
- [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See whats new in other versions of Windows 10.<br>
- [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.<br>
- [What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses.<br>
- [What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.<br>
- [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.<br>
- [Windows 10 features were no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.<br>