deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #231 from MicrosoftDocs/public

Browse Source 
Public to master
This commit is contained in:
jcaparas 2019-05-20 14:43:37 -07:00 committed by GitHub
commit 1b48788ddc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 131 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/client-management/images/tcp-ts-14.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 284 KiB

After

Width:  |  Height:  |  Size: 267 KiB

2
windows/client-management/mdm/vpnv2-profile-xsd.md
View File

@ -132,7 +132,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
<xs:element name="NativeProtocolType" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="L2tpPsk" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="DisableClassBasedDefaultRoute" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
<xs:element maxOccurs="unbounded" name="CryptographySuite"minOccurs="0" maxOccurs="1">
<xs:element name="CryptographySuite" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="AuthenticationTransformConstants" type="xs:string" minOccurs="0" maxOccurs="1"/>

4
windows/client-management/troubleshoot-tcpip-port-exhaust.md
View File

@ -100,6 +100,8 @@ You may also see CLOSE_WAIT state connections in the same output, however CLOSE_
>Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion.
>
>Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports.
>
>Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more.
4. Open a command prompt in admin mode and run the below command
@ -192,5 +194,5 @@ goto loop
- [Port Exhaustion and You!](https://blogs.technet.microsoft.com/askds/2008/10/29/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend/) - this article gives a detail on netstat states and how you can use netstat output to determine the port status
- [Detecting ephemeral port exhaustion](https://blogs.technet.microsoft.com/clinth/2013/08/09/detecting-ephemeral-port-exhaustion/): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10)
- [Detecting ephemeral port exhaustion](https://blogs.technet.microsoft.com/yongrhee/2018/01/09/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes/): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10)

2
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
View File

@ -30,7 +30,7 @@ Your environment is federated and you are ready to configure device registration
Use this three-phased approach for configuring device registration.
1. [Configure devices to register in Azure](#configure-azure-for-device-registration)
2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-syncrhonization)
2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-synchronization)
3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices)
> [!NOTE]

2
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
View File

@ -1,5 +1,5 @@
---
title: Hybrid Windows Hello for Business Prerequistes (Windows Hello for Business)
title: Hybrid Windows Hello for Business Prerequisites (Windows Hello for Business)
description: Prerequisites for Hybrid Windows Hello for Business Deployments
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
View File

@ -1,7 +1,7 @@
---
title: Configure Directory Synchronization for Hybrid key trust Windows Hello for Business
description: Azure Directory Syncrhonization for Hybrid Certificate Key Deployment (Windows Hello for Business)
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, directory, syncrhonization, AADConnect
description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business)
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, directory, synchronization, AADConnect
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library

2
windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md
View File

@ -31,7 +31,7 @@ Learn how you can use Microsoft Defender ATP to expand the coverage of Microsoft
## Prerequisites
- Endpoints need to be on Windows 10, version 1809 or later
- You'll need the appropriate license to leverage the Microsoft Defender ATP and Azure Information Protection integration
- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information see, [Configure a Log Analytics workspace for the reports](https://docs.microsoft.comazure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports)
- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information see, [Configure a Log Analytics workspace for the reports](https://docs.microsoft.com/azure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports)
## Configuration steps

BIN
windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 195 KiB

After

Width:  |  Height:  |  Size: 207 KiB

9
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
View File

@ -87,9 +87,7 @@ The installation will proceed.
The client machine is not associated with orgId. Note that the orgid is blank.
```bash
mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
orgid :
mavel-mojave:wdavconfig testuser$ mdatp --health orgId
```
2. Install the configuration file on a client machine:
@ -102,9 +100,8 @@ The installation will proceed.
3. Verify that the machine is now associated with orgId:
```bash
mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8
mavel-mojave:wdavconfig testuser$ mdatp --health orgId
E6875323-A6C0-4C60-87AD-114BBE7439B8
```
After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.

21
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
View File

@ -175,26 +175,29 @@ You can monitor policy installation on a machine by following the JAMF's log fil
You can also check the onboarding status:
```bash
mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
mavel-mojave:~ testuser$ mdatp --health
...
licensed : true
orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45"
...
```
- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set.
- **licensed**: This confirms that the machine has an ATP license.
- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed.
- **orgid**: Your ATP org id, it will be the same for your organization.
## Check onboarding status
You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded:
```bash
sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+'
mdatp --health healthy
```
This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered.
This script returns:
- 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service
- 1 if the machine is not onboarded
- 3 if the connection to the daemon cannot be established (daemon is not running)
## Logging installation issues

82
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md Normal file
View File

@ -0,0 +1,82 @@
---
title: Installing Microsoft Defender ATP for Mac with different MDM product
description: Describes how to install Microsoft Defender ATP for Mac, using an unsupported MDM solution.
keywords: microsoft, defender, atp, mac, installation, deploy, macos, mojave, high sierra, sierra
search.product: eADQiWindows 10XVcnh
search.appverid: #met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: mavel
author: maximvelichko
ms.localizationpriority: #medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: #conceptual
---
# Deployment with a different MDM system
**Applies to:**
[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???)
>[!IMPORTANT]
>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
## Prerequisites and system requirements
Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version.
## Approach
Your organization may use a Mobile Device Management (MDM) solution we do not officially support.
This does not mean you will be unable to deploy or run Microsoft Defender ATP for Mac.
However, we will not be able to provide support for deploying or managing Defender via these solutions.
Microsoft Defender ATP for Mac does not depend on any vendor-specific features. It can be used with any MDM solution that supports the following features:
- Deploying a macOS .pkg to managed machines.
- Deploying macOS system configuration profiles to managed machines.
- Running an arbitrary admin-configured tool/script on managed machines.
The majority of modern MDM solutions include these features, however, they may call them differently.
You can deploy Defender without the last requirement from the list above, however:
- You won't be able to collect status in a centralized way
- If you decide to uninstall Defender, you'll need to logon to the client machine locally as an administrator
## Deployment
Most MDM solution use the same model for managing macOS machines, with similar terminology.
Use [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) as a template.
### Package
Configure deployment of a [required application package](microsoft-defender-atp-mac-install-with-jamf.md#package),
with the installation package (wdav.pkg) downloaded from [ATP](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages).
Your MDM solution can allow you uploading of an arbitrary application package, or require you to wrap it into a custom package first.
### License settings
Setup [a system configuration profile](microsoft-defender-atp-mac-install-with-jamf.md#configuration-profile).
Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender ATP for Mac is not part of macOS.
Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can extracted from an onboarding package downloaded from [ATP](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages).
Your system may support an arbitrary property list in XML format. You can just upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
Alternatively, it may require you to convert the property list to a different format first.
Note that your custom profile would have an id, name or domain attribute. You must use exactly "com.microsoft.wdav.atp".
MDM will use it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client machine, and Defender will use this file for loading onboarding info.
### KEXT
Setup a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to whitelist kernel extensions provided by Microsoft.
## Was it successful?
Run [mdatp](microsoft-defender-atp-mac-install-with-jamf.md#check-onboarding-status) on a client machine.

36
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
View File

@ -33,7 +33,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
1. Increase logging level:
```bash
mavel-mojave:~ testuser$ mdatp log-level --verbose
mavel-mojave:~ testuser$ mdatp --log-level verbose
Creating connection to daemon
Connection established
Operation succeeded
@ -41,10 +41,10 @@ If you can reproduce a problem, please increase the logging level, run the syste
2. Reproduce the problem
3. Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file.
3. Run `mdatp --diagnostic --create` to backup Defender ATP's logs. The command will print out location with generated zip file.
```bash
mavel-mojave:~ testuser$ mdatp --diagnostic
mavel-mojave:~ testuser$ mdatp --diagnostic --create
Creating connection to daemon
Connection established
"/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip"
@ -53,7 +53,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
4. Restore logging level:
```bash
mavel-mojave:~ testuser$ mdatp log-level --info
mavel-mojave:~ testuser$ mdatp --log-level info
Creating connection to daemon
Connection established
Operation succeeded
@ -112,21 +112,21 @@ Important tasks, such as controlling product settings and triggering on-demand s
|Group |Scenario |Command |
|-------------|-------------------------------------------|-----------------------------------------------------------------------|
|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` |
|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` |
|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` |
|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` |
|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`|
|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` |
|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`|
|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` |
|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` |
|Configuration|Turn on/off real-time protection |`mdatp --config rtp [true/false]` |
|Configuration|Turn on/off cloud protection |`mdatp --config cloud [true/false]` |
|Configuration|Turn on/off product diagnostics |`mdatp --config diagnostic [true/false]` |
|Configuration|Turn on/off automatic sample submission |`mdatp --config sample-submission [true/false]` |
|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`|
|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` |
|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`|
|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` |
|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` |
|Health |Check the product's health |`mdatp --health` |
|Protection |Scan a path |`mdatp scan --path [path]` |
|Protection |Do a quick scan |`mdatp scan --quick` |
|Protection |Do a full scan |`mdatp scan --full` |
|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` |
|Protection |Request a definition update |`mdatp --signature-update` |
|Protection |Scan a path |`mdatp --scan --path [path]` |
|Protection |Do a quick scan |`mdatp --scan --quick` |
|Protection |Do a full scan |`mdatp --scan --full` |
|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` |
|Protection |Request a definition update |`mdatp --definition-update` |
## Microsoft Defender ATP portal information

10
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
View File

@ -45,6 +45,7 @@ In general you'll need to take the following steps:
- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods:
- [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md)
- [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md)
- [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md)
- [Manual deployment](microsoft-defender-atp-mac-install-manually.md)
### Prerequisites
@ -69,13 +70,14 @@ The following table lists the services and their associated URLs that your netwo
| Service | Description | URL |
| -------------- |:------------------------------------:| --------------------------------------------------------------------:|
| ATP | Advanced threat protection service | `https://x.cp.wd.microsoft.com/`, `https://*.x.cp.wd.microsoft.com/` |
| ATP | Advanced threat protection service | `https://x.cp.wd.microsoft.com`, `https://cdn.x.cp.wd.microsoft.com` |
To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal:
To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://cdn.x.cp.wd.microsoft.com/ping` in a browser, or run the following command in Terminal:
```bash
mavel-mojave:~ testuser$ curl 'https://x.cp.wd.microsoft.com/api/report'
OK
mavel-mojave:~ testuser$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
OK https://x.cp.wd.microsoft.com/api/report
OK https://cdn.x.cp.wd.microsoft.com/ping
```
We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines.