mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-17 03:13:44 +00:00
Merge branch 'master' into MTE_premiereEOD
This commit is contained in:
@ -14,15 +14,13 @@ ms.date: 06/26/2017
|
||||
|
||||
# Certificate authentication device enrollment
|
||||
|
||||
|
||||
This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
|
||||
|
||||
> **Note** To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107).
|
||||
|
||||
> [!Note]
|
||||
> To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107).
|
||||
|
||||
## In this topic
|
||||
|
||||
|
||||
- [Discovery service](#discovery-service)
|
||||
- [Enrollment policy web service](#enrollment-policy-web-service)
|
||||
- [Enrollment web service](#enrollment-web-service)
|
||||
@ -507,10 +505,3 @@ The following example shows the encoded provisioning XML.
|
||||
protocol. This configuration service provider is being deprecated for Windows 10. -->
|
||||
</wap-provisioningdoc>
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -14,16 +14,14 @@ ms.date: 07/28/2017
|
||||
|
||||
# Federated authentication device enrollment
|
||||
|
||||
|
||||
This section provides an example of the mobile device enrollment protocol using federated authentication policy. When the authentication policy is set to Federated, the web authentication broker is leveraged by the enrollment client to get a security token. The enrollment client calls the web authentication broker API within the response message to start the process. The server should build the web authentication broker pages to fit the device screen and should be consistent with the existing enrollment UI. The opaque security token that is returned from the broker as an end page is used by the enrollment client as the device security secret during the client certificate request call.
|
||||
|
||||
The <AuthenticationServiceURL> element the discovery response message specifies web authentication broker page start URL.
|
||||
|
||||
For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
|
||||
For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347).
|
||||
|
||||
## In this topic
|
||||
|
||||
|
||||
[Discovery service](#discovery-service)
|
||||
[Enrollment policy web service](#enrollment-policy-web-service)
|
||||
[Enrollment web service](#enrollment-web-service)
|
||||
@ -32,12 +30,10 @@ For the list of enrollment scenarios not supported in Windows 10, see [Enrollme
|
||||
|
||||
## Discovery service
|
||||
|
||||
|
||||
The discovery web service provides the configuration information necessary for a user to enroll a phone with a management service. The service is a restful web service over HTTPS (server authentication only).
|
||||
|
||||
> **Note** The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
|
||||
|
||||
The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http:<span></span>//enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc
|
||||
|
||||
@ -45,28 +41,28 @@ The first request is a standard HTTP GET request.
|
||||
|
||||
The following example shows a request via HTTP GET to the discovery server given user@contoso.com as the email address.
|
||||
|
||||
```
|
||||
```http
|
||||
Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc
|
||||
Content Type: unknown
|
||||
Header Byte Count: 153
|
||||
Body Byte Count: 0
|
||||
```
|
||||
|
||||
```
|
||||
```http
|
||||
GET /EnrollmentServer/Discovery.svc HTTP/1.1
|
||||
User-Agent: Windows Phone 8 Enrollment Client
|
||||
Host: EnterpriseEnrollment.contoso.com
|
||||
Pragma: no-cache
|
||||
```
|
||||
|
||||
```
|
||||
```http
|
||||
Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc
|
||||
Content Type: text/html
|
||||
Header Byte Count: 248
|
||||
Body Byte Count: 0
|
||||
```
|
||||
|
||||
```
|
||||
```http
|
||||
HTTP/1.1 200 OK
|
||||
Connection: Keep-Alive
|
||||
Pragma: no-cache
|
||||
@ -86,7 +82,7 @@ The following logic is applied:
|
||||
|
||||
The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address
|
||||
|
||||
```
|
||||
```http
|
||||
https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc
|
||||
```
|
||||
|
||||
@ -131,24 +127,21 @@ The discovery response is in the XML format and includes the following fields:
|
||||
- Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
|
||||
- In Windows, Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
|
||||
|
||||
> **Note** The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
|
||||
|
||||
|
||||
> [!Note]
|
||||
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
|
||||
|
||||
When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be leveraged by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call.
|
||||
|
||||
> **Note** Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance:
|
||||
> [!Note]
|
||||
> Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance:
|
||||
> - Parse the OS version from the data sent up during the discovery request.
|
||||
> - Append the OS version as a parameter in the AuthenticationServiceURL.
|
||||
> - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication.
|
||||
|
||||
|
||||
|
||||
A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist.
|
||||
|
||||
> **Note** The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented.
|
||||
|
||||
|
||||
> [!Note]
|
||||
> The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented.
|
||||
|
||||
The following are the explicit requirements for the server.
|
||||
|
||||
@ -170,7 +163,7 @@ After authentication is complete, the auth server should return an HTML form doc
|
||||
> [!NOTE]
|
||||
> To make an application compatible with strict Content Security Policy, it is usually necessary to make some changes to HTML templates and client-side code, add the policy header, and test that everything works properly once the policy is deployed.
|
||||
|
||||
```
|
||||
```html
|
||||
HTTP/1.1 200 OK
|
||||
Content-Type: text/html; charset=UTF-8
|
||||
Vary: Accept-Encoding
|
||||
@ -237,7 +230,6 @@ The following example shows a response received from the discovery web service w
|
||||
|
||||
## Enrollment policy web service
|
||||
|
||||
|
||||
Policy service is optional. By default, if no policies are specified, the minimum key length is 2k and the hash algorithm is SHA-1.
|
||||
|
||||
This web service implements the X.509 Certificate Enrollment Policy Protocol (MS-XCEP) specification that allows customizing certificate enrollment to match different security needs of enterprises at different times (cryptographic agility). The service processes the GetPolicies message from the client, authenticates the client, and returns matching enrollment policies in the GetPoliciesResponse message.
|
||||
@ -302,9 +294,8 @@ After the user is authenticated, the web service retrieves the certificate templ
|
||||
|
||||
MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. For Windows device, we will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms.
|
||||
|
||||
> **Note** The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
|
||||
|
||||
The following snippet shows the policy web service response.
|
||||
|
||||
@ -387,7 +378,6 @@ The following snippet shows the policy web service response.
|
||||
|
||||
## Enrollment web service
|
||||
|
||||
|
||||
This web service implements the MS-WSTEP protocol. It processes the RequestSecurityToken (RST) message from the client, authenticates the client, requests the certificate from the CA, and returns it in the RequestSecurityTokenResponse (RSTR) to the client. Besides the issued certificate, the response also contains configurations needed to provision the DM client.
|
||||
|
||||
The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on match the certificate template), the client can enroll successfully.
|
||||
@ -396,9 +386,8 @@ Note that the RequestSecurityToken will use a custom TokenType (http:<span></spa
|
||||
|
||||
The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration.
|
||||
|
||||
> **Note** The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
|
||||
|
||||
|
||||
> [!Note]
|
||||
> The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
|
||||
|
||||
The following example shows the enrollment web service request for federated authentication.
|
||||
|
||||
@ -487,9 +476,8 @@ The following example shows the enrollment web service request for federated aut
|
||||
|
||||
After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR).
|
||||
|
||||
> **Note** The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
|
||||
|
||||
|
||||
> [!Note]
|
||||
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
|
||||
|
||||
Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (http:<span></span>//schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc), because the token is more than an X.509 v3 certificate.
|
||||
|
||||
@ -553,7 +541,7 @@ The following example shows the enrollment web service response.
|
||||
|
||||
The following code shows sample provisioning XML (presented in the preceding package as a security token):
|
||||
|
||||
```
|
||||
```xml
|
||||
<wap-provisioningdoc version="1.1">
|
||||
<characteristic type="CertificateStore">
|
||||
<characteristic type="Root">
|
||||
@ -640,11 +628,3 @@ The following code shows sample provisioning XML (presented in the preceding pac
|
||||
- The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique.
|
||||
- Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate.
|
||||
- CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -14,7 +14,6 @@ ms.date: 08/11/2017
|
||||
|
||||
# Mobile device enrollment
|
||||
|
||||
|
||||
Mobile device enrollment is the first phase of enterprise management. The device is configured to communicate with the MDM server using security precautions during the enrollment process. The enrollment service verifies that only authenticated and authorized devices can be managed by their enterprise.
|
||||
|
||||
The enrollment process includes the following steps:
|
||||
@ -33,21 +32,20 @@ The enrollment process includes the following steps:
|
||||
|
||||
## Enrollment protocol
|
||||
|
||||
|
||||
There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
|
||||
|
||||
The enrollment process involves the following steps:
|
||||
|
||||
**Discovery request**
|
||||
### Discovery request
|
||||
The discovery request is a simple HTTP post call that returns XML over HTTP. The returned XML includes the authentication URL, the management service URL, and the user credential type.
|
||||
|
||||
**Certificate enrollment policy**
|
||||
### Certificate enrollment policy
|
||||
The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in \[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619345)
|
||||
|
||||
**Certificate enrollment**
|
||||
### Certificate enrollment
|
||||
The certificate enrollment is an implementation of the MS-WSTEP protocol.
|
||||
|
||||
**Management configuration**
|
||||
### Management configuration
|
||||
The server sends provisioning XML that contains a server certificate (for SSL server authentication), a client certificate issued by enterprise CA, DM client bootstrap information (for the client to communicate with the management server), an enterprise application token (for the user to install enterprise applications), and the link to download the Company Hub application.
|
||||
|
||||
The following topics describe the end-to-end enrollment process using various authentication methods:
|
||||
@ -56,19 +54,18 @@ The following topics describe the end-to-end enrollment process using various au
|
||||
- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
|
||||
- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
|
||||
|
||||
> **Note** As a best practice, do not use hardcoded server-side checks on values such as:
|
||||
> [!Note]
|
||||
> As a best practice, do not use hardcoded server-side checks on values such as:
|
||||
> - User agent string
|
||||
> - Any fixed URIs that are passed during enrollment
|
||||
> - Specific formatting of any value unless otherwise noted, such as the format of the device ID.
|
||||
|
||||
|
||||
## Enrollment support for domain-joined devices
|
||||
|
||||
|
||||
Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
|
||||
|
||||
## Disable MDM enrollments
|
||||
|
||||
|
||||
Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**.
|
||||
|
||||

|
||||
@ -89,7 +86,6 @@ The following scenarios do not allow MDM enrollments:
|
||||
|
||||
## Enrollment migration
|
||||
|
||||
|
||||
**Desktop:** After the MDM client upgrade from Windows 8.1 to Windows 10, enrollment migration starts at the first client-initiated sync with the MDM service. The enrollment migration start time depends on the MDM server configuration. For example, for Intune it runs every 6 hours.
|
||||
|
||||
Until the enrollment migration is completed, the user interface will show no enrollment and server push will not work.
|
||||
@ -100,7 +96,6 @@ To manually trigger enrollment migration, you can run MDMMaintenenceTask.
|
||||
|
||||
## Enrollment error messages
|
||||
|
||||
|
||||
The enrollment server can decline enrollment messages using the SOAP Fault format. Errors created can be sent as follows:
|
||||
|
||||
```xml
|
||||
@ -196,8 +191,6 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here is an example:
|
||||
|
||||
```xml
|
||||
@ -291,20 +284,11 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element.
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
TraceID is a freeform text node which is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment.
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
- [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)
|
||||
- [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
|
||||
- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
|
||||
- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -31,7 +31,7 @@ For the list of enrollment scenarios not supported in Windows 10, see [Enrollme
|
||||
The discovery web service provides the configuration information necessary for a user to enroll a device with a management service. The service is a restful web service over HTTPS (server authentication only).
|
||||
|
||||
> [!NOTE]
|
||||
>The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
|
||||
> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
|
||||
|
||||
The device’s automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http:<span></span>//enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc
|
||||
|
||||
@ -78,7 +78,7 @@ The following logic is applied:
|
||||
- If the device is not redirected, it prompts the user for the server address.
|
||||
- If the device is redirected, it prompts the user to allow the redirect.
|
||||
|
||||
The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address
|
||||
The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address:
|
||||
|
||||
```
|
||||
https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc
|
||||
@ -130,7 +130,7 @@ The discovery response is in the XML format and includes the following fields:
|
||||
- Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
|
||||
|
||||
> [!NOTE]
|
||||
>The HTTP server response must not be chunked; it must be sent as one message.
|
||||
> The HTTP server response must not be chunked; it must be sent as one message.
|
||||
|
||||
The following example shows a response received from the discovery web service for OnPremise authentication:
|
||||
|
||||
@ -215,7 +215,7 @@ After the user is authenticated, the web service retrieves the certificate templ
|
||||
MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. We will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms.
|
||||
|
||||
> [!NOTE]
|
||||
>The HTTP server response must not be chunked; it must be sent as one message.
|
||||
> The HTTP server response must not be chunked; it must be sent as one message.
|
||||
|
||||
The following snippet shows the policy web service response.
|
||||
|
||||
@ -307,7 +307,7 @@ The RequestSecurityToken will use a custom TokenType (http:<span></span>//schema
|
||||
The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration.
|
||||
|
||||
> [!NOTE]
|
||||
>The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
|
||||
> The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
|
||||
|
||||
The following example shows the enrollment web service request for OnPremise authentication.
|
||||
|
||||
|
@ -27,10 +27,12 @@ In Windows 10, version 1703 and later, the Windows Defender app is part of the W
|
||||
Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.<br/>If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
|
||||
>It may also prevent Microsoft Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
|
||||
>This will significantly lower the protection of your device and could lead to malware infection.
|
||||
> Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
|
||||
> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
|
||||
|
||||
> It may also prevent Microsoft Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
|
||||
|
||||
> This will significantly lower the protection of your device and could lead to malware infection.
|
||||
|
||||
See the [Windows Security article](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
|
||||
|
||||
@ -46,7 +48,7 @@ The Windows Security app is a client interface on Windows 10, version 1703 and l
|
||||
|
||||
## Comparison of settings and functions of the old app and the new app
|
||||
|
||||
All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app.
|
||||
All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app.
|
||||
|
||||
The following diagrams compare the location of settings and functions between the old and new apps:
|
||||
|
||||
@ -95,7 +97,6 @@ This section describes how to perform some of the most common tasks when reviewi
|
||||
|
||||
4. Click **Check for updates** to download new protection updates (if there are any).
|
||||
|
||||
|
||||
### Ensure Microsoft Defender Antivirus is enabled in the Windows Security app
|
||||
|
||||
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
|
||||
@ -106,10 +107,9 @@ This section describes how to perform some of the most common tasks when reviewi
|
||||
|
||||
4. Toggle the **Real-time protection** switch to **On**.
|
||||
|
||||
>[!NOTE]
|
||||
>If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.
|
||||
>If you install another antivirus product, Microsoft Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md).
|
||||
|
||||
> [!NOTE]
|
||||
> If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.
|
||||
> If you install another antivirus product, Microsoft Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md).
|
||||
|
||||
<a id="exclusions"></a>
|
||||
|
||||
@ -135,21 +135,19 @@ The following table summarizes exclusion types and what happens:
|
||||
|**File type** |File extension <br/>Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Microsoft Defender Antivirus. |
|
||||
|**Process** |Executable file path <br>Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. |
|
||||
|
||||
To learn more, see:
|
||||
To learn more, see:
|
||||
- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus)
|
||||
- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus)
|
||||
|
||||
### Review threat detection history in the Windows Defender Security Center app
|
||||
|
||||
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or
|
||||
searching the start menu for **Defender**.
|
||||
|
||||
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
|
||||
|
||||
3. Click **Threat history**
|
||||
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
|
||||
|
||||
4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**,
|
||||
**Allowed threats**).
|
||||
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
|
||||
|
||||
3. Click **Threat history**
|
||||
|
||||
4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
|
||||
|
||||
<a id="ransomware"></a>
|
||||
|
||||
@ -167,6 +165,4 @@ To learn more, see:
|
||||
|
||||
## Related articles
|
||||
|
||||
- [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
|
||||
|
||||
|
||||
- [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
|
Reference in New Issue
Block a user