mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Merge remote-tracking branch 'refs/remotes/origin/master' into rs3
This commit is contained in:
jdeckerMS
commit
1a37f052b0
Binary file not shown.
|
After Width: | Height: | Size: 61 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 43 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 50 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 50 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 91 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 84 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 44 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 33 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 35 KiB |
@ -10,7 +10,7 @@ ms.topic: article
|
||||
ms.prod: w10
|
||||
ms.technology: windows
|
||||
author: nickbrower
|
||||
ms.date: 06/19/2017
|
||||
ms.date: 09/19/2017
|
||||
---
|
||||
|
||||
# MDM enrollment of Windows-based devices
|
||||
@ -178,35 +178,33 @@ All Windows 10-based devices can be connected to a work or school account. You
|
||||
|
||||
### Using the Settings app
|
||||
|
||||
1. Launch the Settings app.
|
||||
1. Launch the Settings app and then click **Accounts**. Click **Start**, then the Settings icon, and then select **Accounts**
|
||||
|
||||
|
||||
|
||||
|
||||
2. Next, navigate to **Accounts**.
|
||||
2. Navigate to **Access work or school**.
|
||||
|
||||
|
||||
|
||||
|
||||
3. Navigate to **Access work or school**.
|
||||
3. Click **Connect**.
|
||||
|
||||
|
||||
|
||||
|
||||
4. Click **Connect**.
|
||||
4. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
|
||||
|
||||
|
||||
|
||||
|
||||
5. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
|
||||
|
||||
|
||||
|
||||
6. If the tenant is a cloud only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly into the page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication.
|
||||
5. If the tenant is a cloud only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly into the page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication.
|
||||
|
||||
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
|
||||
|
||||
If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM.
|
||||
|
||||
Starting in Windows 10, version 1709, you will see the status page that shows the progress of your device being set up.
|
||||
|
||||
|
||||
|
||||
7. After you complete the flow, your Microsoft account will be connected to your work or school account.
|
||||
6. After you complete the flow, your Microsoft account will be connected to your work or school account.
|
||||
|
||||
|
||||
|
||||
@ -238,11 +236,12 @@ All Windows 10-based devices can be connected to an MDM. You can connect to an
|
||||
|
||||
6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information.
|
||||
|
||||
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
|
||||
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen.
|
||||
|
||||
|
||||
|
||||
After you complete the flow, your device will be connected to your organization’s MDM.
|
||||
|
||||
|
||||
|
||||
|
||||
### Connecting to MDM on a phone (Enrolling in device management)
|
||||
|
||||
@ -343,16 +342,7 @@ The following procedure describes how users can connect their devices to MDM usi
|
||||
|
||||
Your work or school connections can be managed on the **Settings** > **Accounts** > **Access work or school** page. Your connections will show on this page and clicking on one will expand options for that connection.
|
||||
|
||||
|
||||
|
||||
### Manage
|
||||
|
||||
The **Manage** button can be found on work or school connections involving Azure AD. This includes the following scenarios:
|
||||
|
||||
- Connecting your device to an Azure AD domain
|
||||
- Connecting to a work or school account.
|
||||
|
||||
Clicking on the manage button will open the Azure AD portal associated with that connection in your default browser.
|
||||
|
||||
|
||||
### Info
|
||||
|
||||
@ -364,7 +354,12 @@ The **Info** button can be found on work or school connections involving MDM. Th
|
||||
|
||||
Clicking the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session which will force your device to communicate to the MDM server and fetch any updates to policies if needed.
|
||||
|
||||
|
||||
Starting in Windows 10, version 1709, clicking the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screehshot.
|
||||
|
||||
|
||||
|
||||
> [!Note]
|
||||
> Starting in Windows 10, version 1709, the **Manage** button is no longer available.
|
||||
|
||||
### Disconnect
|
||||
|
||||
@ -375,16 +370,14 @@ The **Disconnect** button can be found on all work connections. Generally, click
|
||||
|
||||
> **Warning** Disconnecting might result in the loss of data on the device.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Collecting diagnostic logs
|
||||
|
||||
|
||||
You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and clicking the **Export your management logs** link under **Related Settings**. After you click the link, click **Export** and follow the path displayed to retrieve your management log files.
|
||||
|
||||
|
||||
Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and clicking the **Info** button. At the bottom of the Settings page you will see the button to create a report. Here is an example screenshot.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -392,4 +385,3 @@ You can collect diagnostic logs around your work connections by going to **Setti
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -1000,8 +1000,17 @@ For details about Microsoft mobile device management protocols for Windows 10 s
|
||||
<td style="vertical-align:top"><p>Added new policies.</p>
|
||||
</td></tr>
|
||||
<tr class="odd">
|
||||
<td style="vertical-align:top">Microsoft Store for Business</td>
|
||||
<td style="vertical-align:top"><p>Windows Store for Business name changed to Microsoft Store for Business.</p>
|
||||
<td style="vertical-align:top">Microsoft Store for Business and Microsoft Store</td>
|
||||
<td style="vertical-align:top"><p>Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.</p>
|
||||
</td></tr>
|
||||
<td style="vertical-align:top">[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)</td>
|
||||
<td style="vertical-align:top"><p>New features in the Settings app:</p>
|
||||
<ul>
|
||||
<li>User sees installation progress of critical policies during MDM enrollment.</li>
|
||||
<li>User knows what policies, profiles, apps MDM has configured</li>
|
||||
<li>IT helpdesk can get detailed MDM diagnostic information using client tools</li>
|
||||
</ul>
|
||||
<p>For details, see [Managing connection](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)</p>
|
||||
</td></tr>
|
||||
<tr class="odd">
|
||||
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
|
||||
@ -1384,8 +1393,8 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
|
||||
<td style="vertical-align:top"><p>Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.</p>
|
||||
</td></tr>
|
||||
<tr class="odd">
|
||||
<td style="vertical-align:top">Microsoft Store for Business</td>
|
||||
<td style="vertical-align:top"><p>Windows Store for Business name changed to Microsoft Store for Business.</p>
|
||||
<td style="vertical-align:top">Microsoft Store for Business and Microsoft Store</td>
|
||||
<td style="vertical-align:top"><p>Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.</p>
|
||||
</td></tr>
|
||||
<tr class="even">
|
||||
<td style="vertical-align:top">The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx)</td>
|
||||
@ -1401,9 +1410,20 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
|
||||
<td style="vertical-align:top">[EntepriseAPN CSP](enterpriseapn-csp.md)</td>
|
||||
<td style="vertical-align:top"><p>Added a SyncML example.</p>
|
||||
</td></tr>
|
||||
<tr class="odd">
|
||||
<td style="vertical-align:top">[VPNv2 CSP](vpnv2-csp.md)</td>
|
||||
<td style="vertical-align:top"><p>Added RegisterDNS setting in Windows 10, version 1709.</p>
|
||||
</td></tr>
|
||||
<tr class="odd">
|
||||
<td style="vertical-align:top">[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)</td>
|
||||
<td style="vertical-align:top"><p>New features in the Settings app:</p>
|
||||
<ul>
|
||||
<li>User sees installation progress of critical policies during MDM enrollment.</li>
|
||||
<li>User knows what policies, profiles, apps MDM has configured</li>
|
||||
<li>IT helpdesk can get detailed MDM diagnostic information using client tools</li>
|
||||
</ul>
|
||||
<p>For details, see [Managing connections](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)</p>
|
||||
</td></tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
@ -124,6 +124,7 @@
|
||||
#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
|
||||
#### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
|
||||
#### [Enable Security Analytics security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md)
|
||||
### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)
|
||||
### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
|
||||
### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -61,7 +61,7 @@ By default, Windows Defender AV is installed and functional on Windows Server 20
|
||||
|
||||
If the interface is not installed, you can add it in the **Add Roles and Features Wizard** at the **Features** step, under **Windows Defender Features** by selecting the **GUI for Windows Defender** option.
|
||||
|
||||
|
||||
|
||||
|
||||
See the [Install or uninstall roles, role services, or features](https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features) topic for information on using the wizard.
|
||||
|
||||
|
||||
@ -0,0 +1,49 @@
|
||||
---
|
||||
title: Enable Security Analytics in Windows Defender ATP
|
||||
description: Set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard.
|
||||
keywords: enable security analytics, baseline, calculation, analytics, score, security analytics dashboard, dashboard
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: high
|
||||
ms.date: 09/05/2017
|
||||
---
|
||||
|
||||
# Enable Security Analytics security controls
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise
|
||||
- Windows 10 Education
|
||||
- Windows 10 Pro
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
Set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations.
|
||||
|
||||
>[!NOTE]
|
||||
>Changes might take up to a few hours to reflect on the dashboard.
|
||||
|
||||
1. In the navigation pane, select **Preferences setup** > **Security Analytics**.
|
||||
|
||||
|
||||
|
||||
2. Select the security control, then toggle the setting between **On** and **Off**.
|
||||
|
||||
3. Click **Save preferences**.
|
||||
|
||||
## Related topics
|
||||
- [View the Security Analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
|
||||
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 164 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 311 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 62 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 28 KiB After Width: | Height: | Size: 32 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 41 KiB |
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: View the Security Analytics dashboard in Windows Defender ATP
|
||||
description: Use the Security Analytics dashboard to assess and improve the security state of your organization by analyzing various security control tiles.
|
||||
keywords: security analytics, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverate, security control, improvement opportunities, edr, antivirus, av, os security updates
|
||||
keywords: security analytics, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverage, security control, improvement opportunities, edr, antivirus, av, os security updates
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -9,7 +9,7 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: mjcaparas
|
||||
localizationpriority: high
|
||||
ms.date: 09/05/2017
|
||||
ms.date: 10/02/2017
|
||||
---
|
||||
|
||||
# View the Windows Defender Advanced Threat Protection Security analytics dashboard
|
||||
@ -33,37 +33,41 @@ The **Security analytics dashboard** displays a snapshot of:
|
||||
- Organizational security score
|
||||
- Security coverage
|
||||
- Improvement opportunities
|
||||
- Security score over time
|
||||
|
||||
|
||||
|
||||
|
||||
## Organizational security score
|
||||
The organization security score is reflective of the average score of all the Windows Defender security controls that are configured according to the recommended baseline. You can improve this score by taking the steps in configuring each of the security controls in the optimal settings.
|
||||
|
||||
|
||||
|
||||
|
||||
Each Windows Defender security control from the **Security coverage** tile contributes 100 points to the organizational security score.
|
||||
Each Windows Defender security control from the **Security coverage** tile contributes 100 points to the organizational security score.
|
||||
|
||||
The denominator is reflective of the organizational score potential and calculated by multiplying the number of supported security controls (Security coverage pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
|
||||
|
||||
|
||||
In the example image, the total points from the **Improvement opportunities** tile add up to 279 points for the three pillars from the **Security coverage** tile.
|
||||
In the example image, the total points from the **Improvement opportunities** tile add up to 321 points for the six pillars from the **Security coverage** tile.
|
||||
|
||||
You can set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard through the **Preferences settings**. For more information, see [Enable Security Analytics security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
## Security coverage
|
||||
The security coverage tile shows a bar graph where each bar represents a Windows Defender security control. Each bar contributes 100 points to the overall organizational security score. It also represents the various Windows 10 security components with an indicator of the total number of machines that are well configured and those that require attention. Hovering on top of the individual bars will show exact numbers for each category.
|
||||
The security coverage tile shows a bar graph where each bar represents a Windows Defender security control. Each bar reflects the number of machines that are well configured and those that require **any kind of attention** for each security control. Hovering on top of the individual bars will show exact numbers for each category. Machines that are green are well configured, while machines that are orange require some level of attention.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Improvement opportunities
|
||||
Improve your organizational security score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control.
|
||||
|
||||
Click on each control to see the recommended optimizations.
|
||||
|
||||
|
||||
|
||||
|
||||
The numbers beside the green triangle icon on each recommended action represents the number of points you can gain by taking the action. When added together, the total number makes up the numerator in the fraction for each segment in the Improvement opportunities tile.
|
||||
|
||||
Recommendations that do not display a green action are informational only and no action is required.
|
||||
>[!IMPORTANT]
|
||||
>Recommendations that do not display a green triangle icon are informational only and no action is required.
|
||||
|
||||
Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
|
||||
|
||||
@ -71,9 +75,22 @@ The following image shows an example list of machines where the EDR sensor is no
|
||||
|
||||
|
||||
|
||||
### Endpoint detection and response (EDR) optimization
|
||||
This tile provides a specific list of actions you can take on Windows Defender ATP to improve how endpoints provide sensor data to the Windows Defender ATP service.
|
||||
## Security score over time
|
||||
You can track the progression of your organizational security posture over time using this tile. It displays the overall and individual control scores in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture.
|
||||
|
||||
|
||||
|
||||
You can click on specific date points to see the total score for that security control is on a particular date.
|
||||
|
||||
### Endpoint detection and response (EDR) optimization
|
||||
For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for your Endpoint detection and response tool.
|
||||
|
||||
#### Minimum baseline configuration setting for EDR:
|
||||
- Windows Defender ATP sensor is on
|
||||
- Data collection is working correctly
|
||||
- Communication to Windows Defender ATP service is not impaired
|
||||
|
||||
#### Minimum baseline configuration setting for EDR:
|
||||
You can take the following actions to increase the overall security score of your organization:
|
||||
- Turn on sensor
|
||||
- Fix sensor data collection
|
||||
@ -81,9 +98,19 @@ You can take the following actions to increase the overall security score of you
|
||||
|
||||
For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
### Windows Defender Antivirus optimization
|
||||
This tile provides a list of specific list of actions you can implement on endpoints with Windows Defender Antivirus to improve the security in your organization. Each action shows the exact number of endpoints where you can apply the action on.
|
||||
### Windows Defender Antivirus (Windows Defender AV) optimization
|
||||
For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AV is fulfilled.
|
||||
|
||||
#### Minimum baseline configuration setting for Windows Defender AV:
|
||||
Endpoints are considered "well configured" for Windows Defender AV if the following requirements are met:
|
||||
|
||||
- Windows Defender AV is reporting correctly
|
||||
- Windows Defender AV is turned on
|
||||
- Signature definitions are up to date
|
||||
- Real-time protection is on
|
||||
- Potentially Unwanted Application (PUA) protection is enabled
|
||||
|
||||
##### Recommended actions:
|
||||
You can take the following actions to increase the overall security score of your organization:
|
||||
|
||||
>[!NOTE]
|
||||
@ -93,7 +120,6 @@ You can take the following actions to increase the overall security score of you
|
||||
- This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md).
|
||||
- Turn on antivirus
|
||||
- Update antivirus definitions
|
||||
- Turn on cloud-based protection
|
||||
- Turn on real-time protection
|
||||
- Turn on PUA protection
|
||||
|
||||
@ -105,14 +131,115 @@ This tile shows you the exact number of machines that require the latest securit
|
||||
|
||||
You can take the following actions to increase the overall security score of your organization:
|
||||
- Install the latest security updates
|
||||
- Fix sensor data collection
|
||||
- The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
For more information on, see [Windows Update Troubleshooter](https://support.microsoft.com/en-us/help/4027322/windows-windows-update-troubleshooter).
|
||||
For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/en-us/help/4027322/windows-windows-update-troubleshooter).
|
||||
|
||||
|
||||
### Windows Defender Exploit Guard (Windows Defender EG) optimization
|
||||
For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender EG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender EG events on the Windows Defender ATP Machine timeline.
|
||||
|
||||
#### Minimum baseline configuration setting for Windows Defender EG:
|
||||
Endpoints are considered "well configured" for Windows Defender EG if the following requirements are met:
|
||||
|
||||
- System level protection settings are configured correctly
|
||||
- Attack Surface Reduction rules are configured correctly
|
||||
- Controlled Folder Access setting is configured correctly
|
||||
|
||||
##### System level protection:
|
||||
The following system level configuration settings must be set to **On or Force On**:
|
||||
|
||||
1. Control Flow Guard
|
||||
2. Data Execution Prevention (DEP)
|
||||
3. Randomize memory allocations (Bottom-up ASLR)
|
||||
4. Validate exception chains (SEHOP)
|
||||
5. Validate heap integrity
|
||||
|
||||
>[!NOTE]
|
||||
>The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline.
|
||||
>Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection.
|
||||
|
||||
##### Attack Surface Reduction (ASR) rules:
|
||||
The following ASR rules must be configured to **Block mode**:
|
||||
|
||||
Rule description | GUIDs
|
||||
-|-
|
||||
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
|
||||
Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
|
||||
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
|
||||
Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
|
||||
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
|
||||
Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
|
||||
|
||||
|
||||
>[!NOTE]
|
||||
>The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline.
|
||||
>Consider enabling this rule in **Audit** or **Block mode** for better protection.
|
||||
|
||||
|
||||
##### Controlled Folder Access
|
||||
The Controlled Folder Access setting must be configured to **Audit** or **Block mode**.
|
||||
|
||||
>[!NOTE]
|
||||
> Audit mode, allows you to see audit events in the Windows Defender ATP Machine timeline however it does not block suspicious applications.
|
||||
>Consider enabling Controlled Folder Access for better protection.
|
||||
|
||||
##### Recommended actions:
|
||||
You can take the following actions to increase the overall security score of your organization:
|
||||
- Turn on all system-level Exploit Protection settings
|
||||
- Set all ASR rules to enabled or audit mode
|
||||
- Turn on Controlled Folder Access
|
||||
- Turn on Windows Defender Antivirus on compatible machines
|
||||
|
||||
For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md).
|
||||
|
||||
### Windows Defender Application Guard (Windows Defender AG) optimization
|
||||
For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender AG events on the Windows Defender ATP Machine timeline.
|
||||
|
||||
#### Minimum baseline configuration setting for Windows Defender AG:
|
||||
Endpoints are considered "well configured" for Windows Defender AG if the following requirements are met:
|
||||
|
||||
- Hardware and software prerequisites are met
|
||||
- Windows Defender AG is turned on compatible machines
|
||||
- Managed mode is turned on
|
||||
|
||||
##### Recommended actions:
|
||||
You can take the following actions to increase the overall security score of your organization:
|
||||
- Ensure hardware and software prerequisites are met
|
||||
|
||||
>[!NOTE]
|
||||
>This improvement item does not contribute to the security score in itself because it's not a prerequisite for Windows Defender AG. It gives an indication of a potential reason why Windows Defender AG is not turned on.
|
||||
|
||||
- Turn on Windows Defender AG on compatible machines
|
||||
- Turn on managed mode
|
||||
|
||||
|
||||
For more information, see [Windows Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md).
|
||||
|
||||
|
||||
### Windows Defender SmartScreen optimization
|
||||
For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender SmartScreen is fulfilled.
|
||||
|
||||
#### Minimum baseline configuration setting for Windows Defender SmartScreen:
|
||||
The following settings must be configured with the following settings:
|
||||
- Check apps and files: **Warn** or **Block**
|
||||
- SmartScreen for Microsoft Edge: **Warn** or **Block**
|
||||
- SmartScreen for Windows Store apps: **Warn** or **Off**
|
||||
|
||||
|
||||
You can take the following actions to increase the overall security score of your organization:
|
||||
- Set **Check app and files** to **Warn** or **Block**
|
||||
- Set **SmartScreen for Microsoft Edge** to **Warn** or **Block**
|
||||
- Set **SmartScreen for Windows Store apps** to **Warn** or **Off**
|
||||
|
||||
For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink)
|
||||
|
||||
## Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable Security Analytics security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -144,7 +144,7 @@ You can review the Windows event log to see events that are created when an Atta
|
||||
|
||||
2. On the left panel, under **Actions**, click **Import custom view...**
|
||||
|
||||
|
||||
|
||||
|
||||
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
|
||||
|
||||
|
||||
@ -75,7 +75,7 @@ You can review the Windows event log to see events that are created when Control
|
||||
|
||||
3. On the left panel, under **Actions**, click **Import custom view...**
|
||||
|
||||
|
||||
|
||||
|
||||
4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
|
||||
|
||||
|
||||
@ -75,7 +75,7 @@ You can use the Windows Defender Security Center app or Group Policy to add and
|
||||
|
||||
4. Click **Add a protected folder** and follow the prompts to add apps.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
### Use Group Policy to protect additional folders
|
||||
@ -107,7 +107,7 @@ You can use the Windows Defender Security Center app or Group Policy to add and
|
||||
Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Defender Security Center app.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
>[!IMPORTANT]
|
||||
@ -144,7 +144,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
|
||||
|
||||
4. Click **Add an allowed app** and follow the prompts to add apps.
|
||||
|
||||
|
||||
|
||||
|
||||
### Use Group Policy to whitelist specific apps
|
||||
|
||||
@ -178,7 +178,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
|
||||
Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Defender Security Center app.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
>[!IMPORTANT]
|
||||
|
||||
@ -51,25 +51,25 @@ It also describes how to enable or configure the mitigations using Windows Defen
|
||||
All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
|
||||
|
||||
|
||||
You can set each of the mitigations to on, off, or to their default value as indicated in the table below. Some mitigations have additional options, these are indicated in the description in the table.
|
||||
You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table.
|
||||
|
||||
|
||||
Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
|
||||
|
||||
|
||||
|
||||
|
||||
The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults.
|
||||
|
||||
For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
|
||||
|
||||
Mitigation | Description | Can be applied to, and default value for system mitigations | Audit mode available
|
||||
Mitigation | Description | Can be applied to | Audit mode available
|
||||
- | - | - | -
|
||||
Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level (system default: **Off**) | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level (system default: **Off**) | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
|
||||
Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
|
||||
Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
|
||||
Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
|
||||
@ -127,7 +127,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
|
||||
|
||||
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection** label:
|
||||
|
||||
|
||||
|
||||
|
||||
3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
|
||||
- **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
|
||||
@ -139,7 +139,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
|
||||
|
||||
Changing some settings may required a restart, which will be indicated in red text underneath the setting.
|
||||
|
||||
|
||||
|
||||
|
||||
4. Repeat this for all the system-level mitigations you want to configure.
|
||||
|
||||
@ -154,7 +154,7 @@ Exporting the configuration as an XML file allows you to copy the configuration
|
||||
|
||||
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection settings** at the bottom of the screen:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
3. Go to the **Program settings** section and choose the app you want to apply mitigations to:
|
||||
@ -164,14 +164,14 @@ Exporting the configuration as an XML file allows you to copy the configuration
|
||||
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
|
||||
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
|
||||
|
||||
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
|
||||
|
||||
|
||||
|
||||
|
||||
You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations.
|
||||
|
||||
|
||||
@ -79,7 +79,7 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to
|
||||
- Disabled = 0
|
||||
- Audit mode = 2
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -60,7 +60,7 @@ For further details on how audit mode works, and when you might want to use it,
|
||||
|
||||
3. Set the switch for the feature to **On**
|
||||
|
||||
|
||||
|
||||
|
||||
### Use Group Policy to enable Controlled folder access
|
||||
|
||||
@ -77,7 +77,7 @@ For further details on how audit mode works, and when you might want to use it,
|
||||
- **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
|
||||
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
|
||||
|
||||
|
||||
|
||||
|
||||
>[!IMPORTANT]
|
||||
>To fully enable the Controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
|
||||
|
||||
@ -57,7 +57,7 @@ This tool has a simple user interface that lets you choose a rule, configure it
|
||||
|
||||
When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken.
|
||||
|
||||
|
||||
|
||||
|
||||
Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running.
|
||||
|
||||
@ -99,7 +99,7 @@ Audit | The rule wil fire, but the suspicious behavior will **not** be blocked f
|
||||
|
||||
Block mode will cause a notification to appear on the user's desktop:
|
||||
|
||||
|
||||
|
||||
|
||||
You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk.
|
||||
|
||||
|
||||
@ -73,11 +73,11 @@ You can enable Controlled folder access, run the tool, and see what the experien
|
||||
|
||||
6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
|
||||
|
||||
|
||||
|
||||
|
||||
7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example:
|
||||
|
||||
|
||||
|
||||
|
||||
## Review Controlled folder access events in Windows Event Viewer
|
||||
|
||||
|
||||
@ -64,7 +64,7 @@ You can also carry out the processes described in this topic in audit or disable
|
||||
|
||||
You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Review Network protection events in Windows Event Viewer
|
||||
|
||||
@ -47,7 +47,7 @@ You can also manually navigate to the event area that corresponds to the Windows
|
||||
|
||||
### Import an existing XML custom view
|
||||
|
||||
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropraite file to an easily accessible location. The following filenames are each of the custom views:
|
||||
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropriate file to an easily accessible location. The following filenames are each of the custom views:
|
||||
- Controlled folder access events custom view: *cfa-events.xml*
|
||||
- Exploit protection events custom view: *ep-events.xml*
|
||||
- Attack surface reduction events custom view: *asr-events.xml*
|
||||
@ -57,7 +57,7 @@ You can also manually navigate to the event area that corresponds to the Windows
|
||||
|
||||
3. On the left panel, under **Actions**, click **Import Custom View...**
|
||||
|
||||
|
||||
|
||||
|
||||
4. Navigate to where you extracted XML file for the custom view you want and select it.
|
||||
|
||||
@ -73,7 +73,7 @@ You can also manually navigate to the event area that corresponds to the Windows
|
||||
|
||||
3. On the left panel, under **Actions**, click **Create Custom View...**
|
||||
|
||||
|
||||
|
||||
|
||||
4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
|
||||
|
||||
|
||||
@ -76,7 +76,7 @@ You can review the Windows event log to see events that are created when Exploit
|
||||
|
||||
3. On the left panel, under **Actions**, click **Import custom view...**
|
||||
|
||||
|
||||
|
||||
|
||||
4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
|
||||
|
||||
|
||||
@ -66,16 +66,15 @@ When you have configured Exploit protection to your desired state (including bot
|
||||
### Use the Windows Defender Security Center app to export a configuration file
|
||||
|
||||
|
||||
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
|
||||
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
|
||||
|
||||
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
|
||||
|
||||
|
||||
|
||||
|
||||
3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
>[!NOTE]
|
||||
>When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
|
||||
@ -151,7 +150,7 @@ You can use Group Policy to deploy the configuration you've created to multiple
|
||||
|
||||
5. Expand the tree to **Windows components > Windows Defender Exploit Guard > Exploit protection**.
|
||||
|
||||
|
||||
|
||||
|
||||
6. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
|
||||
|
||||
|
||||
@ -70,7 +70,7 @@ You can review the Windows event log to see events that are created when Network
|
||||
|
||||
2. On the left panel, under **Actions**, click **Import custom view...**
|
||||
|
||||
|
||||
|
||||
|
||||
3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
|
||||
|
||||
|
||||
@ -125,11 +125,11 @@ See the following links for more information on the features in the Windows Defe
|
||||
|
||||
You can customize notifcations so they show information to users about how to get more help from your organization's help desk.
|
||||
|
||||
|
||||
|
||||
|
||||
This information will also appear as a pop-out window on the Windows Defender Security Center app.
|
||||
|
||||
|
||||
|
||||
|
||||
Users can click on the displayed information to get more help:
|
||||
- Clicking **Call** or the phone number will open Skype to start a call to the displayed number
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user