deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Rebrand System Center to Microsoft Endpoint 32 files _ Four

Browse Source
This commit is contained in:
LauraKellerGitHub 2019-12-26 20:39:45 -08:00
parent ca08257c47
commit 1d0236d76b
32 changed files with 79 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/identity-protection/hello-for-business/hello-faq.md
View File

@ -30,8 +30,8 @@ Microsoft is committed to its vision of a <u>world without passwords.</u> We rec
## Can I use Windows Hello for Business key trust and RDP? ## Can I use Windows Hello for Business key trust and RDP?
RDP currently does not support key based authentication and does not support self signed certificates. RDP with Windows Hello for Business is currently only supported with certificate based deployments. RDP currently does not support key based authentication and does not support self signed certificates. RDP with Windows Hello for Business is currently only supported with certificate based deployments.
## Can I deploy Windows Hello for Business using System Center Configuration Manager? ## Can I deploy Windows Hello for Business using Microsoft Endpoint Configuration Manager?
Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no longer be supported after November 2018. Windows Hello for Business deployments using Microsoft Endpoint Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no longer be supported after November 2018.
## How many users can enroll for Windows Hello for Business on a single Windows 10 computer? ## How many users can enroll for Windows Hello for Business on a single Windows 10 computer?
The maximum number of supported enrollments on a single Windows 10 computer is 10. That enables 10 users to each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available. The maximum number of supported enrollments on a single Windows 10 computer is 10. That enables 10 users to each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available.

2
windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
View File

@ -162,7 +162,7 @@ Primarily for large enterprise organizations with more complex authentication re
For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable: For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:
- IT departments to manage work-owned devices from a central location. - IT departments to manage work-owned devices from a central location.
- Users to sign in to their devices with their Active Directory work or school accounts. - Users to sign in to their devices with their Active Directory work or school accounts.
Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use System Center Configuration Manager (SCCM) or group policy (GP) to manage them. Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use Microsoft Endpoint Configuration Manager or group policy (GP) to manage them.
If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory. If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory.

2
windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
View File

@ -97,7 +97,7 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ
- Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to users. You can use NDES to register devices directly, or Microsoft Intune where its available to manage mobile device participation in Windows Hello. - Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to users. You can use NDES to register devices directly, or Microsoft Intune where its available to manage mobile device participation in Windows Hello.
- The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records dont contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Windows Hello IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 domain controllers required. - The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records dont contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Windows Hello IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 domain controllers required.
- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document. - Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises Microsoft Endpoint Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document.

2
windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
View File

@ -65,7 +65,7 @@ This policy setting controls the behavior of the elevation prompt for standard u
This policy setting controls the behavior of application installation detection for the computer. This policy setting controls the behavior of application installation detection for the computer.
- **Enabled** (Default) When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - **Enabled** (Default) When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
- **Disabled** App installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or System Center Configuration Manager should disable this policy setting. In this case, installer detection is unnecessary. - **Disabled** App installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or Microsoft Endpoint Configuration Manager should disable this policy setting. In this case, installer detection is unnecessary.
## User Account Control: Only elevate executable files that are signed and validated ## User Account Control: Only elevate executable files that are signed and validated

2
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
View File

@ -38,7 +38,7 @@ The Create command sets up new virtual smart cards on the users system. It re
| /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN.<br>**DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708.<br>**PROMPT**&nbsp;&nbsp;Prompts the user to enter a value for the administrator key.<br>**RANDOM**&nbsp;&nbsp;Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key must be entered as 48 hexadecimal characters. | | /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN.<br>**DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708.<br>**PROMPT**&nbsp;&nbsp;Prompts the user to enter a value for the administrator key.<br>**RANDOM**&nbsp;&nbsp;Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key must be entered as 48 hexadecimal characters. |
| /PIN | Indicates desired user PIN value.<br>**DEFAULT**&nbsp;&nbsp;Specifies the default PIN of 12345678.<br>**PROMPT**&nbsp;&nbsp;Prompts the user to enter a PIN at the command line. The PIN must be a minimum of eight characters, and it can contain numerals, characters, and special characters. | | /PIN | Indicates desired user PIN value.<br>**DEFAULT**&nbsp;&nbsp;Specifies the default PIN of 12345678.<br>**PROMPT**&nbsp;&nbsp;Prompts the user to enter a PIN at the command line. The PIN must be a minimum of eight characters, and it can contain numerals, characters, and special characters. |
| /PUK | Indicates the desired PIN Unlock Key (PUK) value. The PUK value must be a minimum of eight characters, and it can contain numerals, characters, and special characters. If the parameter is omitted, the card is created without a PUK.<br>**DEFAULT**&nbsp;&nbsp;Specifies the default PUK of 12345678.<br>**PROMPT**&nbsp;&nbsp;Prompts the user to enter a PUK at the command line. | | /PUK | Indicates the desired PIN Unlock Key (PUK) value. The PUK value must be a minimum of eight characters, and it can contain numerals, characters, and special characters. If the parameter is omitted, the card is created without a PUK.<br>**DEFAULT**&nbsp;&nbsp;Specifies the default PUK of 12345678.<br>**PROMPT**&nbsp;&nbsp;Prompts the user to enter a PUK at the command line. |
| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft System Center Configuration Manager. | | /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Endpoint Configuration Manager. |
| /machine | Allows you to specify the name of a remote computer on which the virtual smart card can be created. This can be used in a domain environment only, and it relies on DCOM. For the command to succeed in creating a virtual smart card on a different computer, the user running this command must be a member in the local administrators group on the remote computer. | | /machine | Allows you to specify the name of a remote computer on which the virtual smart card can be created. This can be used in a domain environment only, and it relies on DCOM. For the command to succeed in creating a virtual smart card on a different computer, the user running this command must be a member in the local administrators group on the remote computer. |
| /pinpolicy | If **/pin prompt** is used, **/pinpolicy** allows you to specify the following PIN policy options:<br>**minlen** &lt;minimum PIN length&gt;<br>&nbsp;&nbsp;&nbsp;If not specificed, defaults to 8. The lower bound is 4.<br>**maxlen** &lt;maximum PIN length&gt;<br>&nbsp;&nbsp;&nbsp;If not specificed, defaults to 127. The upper bound is 127.<br>**uppercase**&nbsp;&nbsp;Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**lowercase**&nbsp;&nbsp;Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**digits**&nbsp;&nbsp;Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**specialchars**&nbsp;&nbsp;Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br><br>When using **/pinpolicy**, PIN characters must be printable ASCII characters. | | /pinpolicy | If **/pin prompt** is used, **/pinpolicy** allows you to specify the following PIN policy options:<br>**minlen** &lt;minimum PIN length&gt;<br>&nbsp;&nbsp;&nbsp;If not specificed, defaults to 8. The lower bound is 4.<br>**maxlen** &lt;maximum PIN length&gt;<br>&nbsp;&nbsp;&nbsp;If not specificed, defaults to 127. The upper bound is 127.<br>**uppercase**&nbsp;&nbsp;Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**lowercase**&nbsp;&nbsp;Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**digits**&nbsp;&nbsp;Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**specialchars**&nbsp;&nbsp;Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br><br>When using **/pinpolicy**, PIN characters must be printable ASCII characters. |
| /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](https://msdn.microsoft.com/library/mt766230.aspx#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are:<br>**AIK_AND_CERT**&nbsp;&nbsp;Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](https://msdn.microsoft.com/library/cc249746.aspx#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there is no network connectivity, it is possible that creation of the virtual smart card will fail.<br>**AIK_ONLY**&nbsp;&nbsp;Creates an AIK but does not obtain an AIK certificate. | | /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](https://msdn.microsoft.com/library/mt766230.aspx#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are:<br>**AIK_AND_CERT**&nbsp;&nbsp;Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](https://msdn.microsoft.com/library/cc249746.aspx#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there is no network connectivity, it is possible that creation of the virtual smart card will fail.<br>**AIK_ONLY**&nbsp;&nbsp;Creates an AIK but does not obtain an AIK certificate. |

2
windows/security/identity-protection/vpn/vpn-profile-options.md
View File

@ -20,7 +20,7 @@ ms.date: 05/17/2018
- Windows 10 - Windows 10
- Windows 10 Mobile - Windows 10 Mobile
Most of the VPN settings in Windows 10 can be configured in VPN profiles using Microsoft Intune or System Center Configuration Manager. All VPN settings in Windows 10 can be configued using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx). Most of the VPN settings in Windows 10 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 can be configued using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
>[!NOTE] >[!NOTE]
>If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers) first. >If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers) first.

4
windows/security/information-protection/TOC.md
View File

@ -47,8 +47,8 @@
##### [Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md) ##### [Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)
#### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) #### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
#### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md) #### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md)
### [Create a WIP policy using System Center Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md) ### [Create a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md)
#### [Create and deploy a WIP policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md) #### [Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md)
#### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) #### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
#### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md) #### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md)
### [Mandatory tasks and settings required to turn on WIP](windows-information-protection\mandatory-settings-for-wip.md) ### [Mandatory tasks and settings required to turn on WIP](windows-information-protection\mandatory-settings-for-wip.md)

4
windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
View File

@ -126,13 +126,13 @@ Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage
* Enables administrators to automate the process of encrypting volumes on client computers across the enterprise. * Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.
* Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself. * Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself.
* Provides centralized reporting and hardware management with Microsoft System Center Configuration Manager. * Provides centralized reporting and hardware management with Microsoft Microsoft Endpoint Configuration Manager.
* Reduces the workload on the help desk to assist end users with BitLocker recovery requests. * Reduces the workload on the help desk to assist end users with BitLocker recovery requests.
* Enables end users to recover encrypted devices independently by using the Self-Service Portal. * Enables end users to recover encrypted devices independently by using the Self-Service Portal.
* Enables security officers to easily audit access to recovery key information. * Enables security officers to easily audit access to recovery key information.
* Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected. * Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected.
* Enforces the BitLocker encryption policy options that you set for your enterprise. * Enforces the BitLocker encryption policy options that you set for your enterprise.
* Integrates with existing management tools, such as System Center Configuration Manager. * Integrates with existing management tools, such as Microsoft Endpoint Configuration Manager.
* Offers an IT-customizable recovery user experience. * Offers an IT-customizable recovery user experience.
* Supports Windows 10. * Supports Windows 10.

4
windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
View File

@ -109,9 +109,9 @@ list volume
``` ```
![Output of the list volume command in the Diskpart app](./images/4509195-en-1.png) ![Output of the list volume command in the Diskpart app](./images/4509195-en-1.png)
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from System Center Configuration Manager). If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
![Windows image configuration in System Center Configuration Manager](./images/sccm-imageconfig.jpg) ![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/sccm-imageconfig.jpg)
#### Step 2: Verify the status of WinRE #### Step 2: Verify the status of WinRE

4
windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
View File

@ -47,7 +47,7 @@ The recovery process included in this topic only works for desktop devices. WIP
>[!Important] >[!Important]
>Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager](create-wip-policy-using-sccm.md). 4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md).
> [!NOTE] > [!NOTE]
> This certificate can be used in Intune for policies both _with_ device enrollment (MDM) and _without_ device enrollment (MAM). > This certificate can be used in Intune for policies both _with_ device enrollment (MDM) and _without_ device enrollment (MAM).
@ -147,7 +147,7 @@ After signing in, the necessary WIP key info is automatically downloaded and emp
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md) - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)
- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) - [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md)
- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA) - [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA)

24
windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
View File

@ -1,9 +1,9 @@
--- ---
title: Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10) title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager (Windows 10)
description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data. description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data.
ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529 ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
ms.reviewer: ms.reviewer:
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, Microsoft Endpoint Configuration Manager, Configuration Manager
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: explore ms.mktglfcycl: explore
ms.sitesec: library ms.sitesec: library
@ -18,23 +18,23 @@ ms.topic: conceptual
ms.date: 05/13/2019 ms.date: 05/13/2019
--- ---
# Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager # Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager
**Applies to:** **Applies to:**
- Windows 10, version 1607 and later - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later - Windows 10 Mobile, version 1607 and later
- System Center Configuration Manager - Microsoft Endpoint Configuration Manager
System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. Microsoft Endpoint Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
## Add a WIP policy ## Add a WIP policy
After youve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. After youve installed and set up Microsoft Endpoint Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
**To create a configuration item for WIP** **To create a configuration item for WIP**
1. Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. 1. Open the Microsoft Endpoint Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
![System Center Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png) ![Microsoft Endpoint Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png)
2. Click the **Create Configuration Item** button.<p> 2. Click the **Create Configuration Item** button.<p>
The **Create Configuration Item Wizard** starts. The **Create Configuration Item Wizard** starts.
@ -43,7 +43,7 @@ The **Create Configuration Item Wizard** starts.
3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. 3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**. 4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Microsoft Endpoint Configuration Manager for device management, and then click **Next**.
- **Settings for devices managed with the Configuration Manager client:** Windows 10 - **Settings for devices managed with the Configuration Manager client:** Windows 10
@ -62,7 +62,7 @@ The **Create Configuration Item Wizard** starts.
The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
## Add app rules to your policy ## Add app rules to your policy
During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. During the policy-creation process in Microsoft Endpoint Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
@ -295,9 +295,9 @@ For this example, were going to add an AppLocker XML file to the **App Rules*
</RuleCollection> </RuleCollection>
</AppLockerPolicy> </AppLockerPolicy>
``` ```
12. After youve created your XML file, you need to import it by using System Center Configuration Manager. 12. After youve created your XML file, you need to import it by using Microsoft Endpoint Configuration Manager.
**To import your Applocker policy file app rule using System Center Configuration Manager** **To import your Applocker policy file app rule using Microsoft Endpoint Configuration Manager**
1. From the **App rules** area, click **Add**. 1. From the **App rules** area, click **Add**.
The **Add app rule** box appears. The **Add app rule** box appears.

2
windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
View File

@ -86,7 +86,7 @@ Microsoft still has apps that are unenlightened, but which have been tested and
> [!NOTE] > [!NOTE]
> As of January 2019 it is no longer necessary to add Intune Company Portal as an exempt app since it is now included in the default list of protected apps. > As of January 2019 it is no longer necessary to add Intune Company Portal as an exempt app since it is now included in the default list of protected apps.
You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager. You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and Microsoft Endpoint Configuration Manager.
| Product name | App info | | Product name | App info |

2
windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
View File

@ -110,7 +110,7 @@ You can see sensitive information types in Microsoft 365 compliance under **Clas
- Auto labelling requires Windows 10, version 1903 - Auto labelling requires Windows 10, version 1903
- Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy - Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy
- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center - [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center
- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager (SCCM)](overview-create-wip-policy-sccm.md) - WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-sccm.md)

2
windows/security/information-protection/windows-information-protection/limitations-with-wip.md
View File

@ -114,7 +114,7 @@ This table provides info about the most common problems you might encounter whil
<li>SavedGames</li> <li>SavedGames</li>
</ul> </ul>
</td> </td>
<td>WIP isnt turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using System Center Configuration Manager.</td> <td>WIP isnt turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.</td>
<td>Dont set the <strong>MakeFolderAvailableOfflineDisabled</strong> option to <strong>False</strong> for any of the specified folders.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see <a href="https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection" data-raw-source="[Can&#39;t open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection)">Can&#39;t open files offline when you use Offline Files and Windows Information Protection</a>. <td>Dont set the <strong>MakeFolderAvailableOfflineDisabled</strong> option to <strong>False</strong> for any of the specified folders.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see <a href="https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection" data-raw-source="[Can&#39;t open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection)">Can&#39;t open files offline when you use Offline Files and Windows Information Protection</a>.
</td> </td>
</tr> </tr>

10
windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md
View File

@ -1,6 +1,6 @@
--- ---
title: Create a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10) title: Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager (Windows 10)
description: System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. description: Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6 ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.reviewer: ms.reviewer:
ms.prod: w10 ms.prod: w10
@ -17,17 +17,17 @@ ms.topic: conceptual
ms.date: 02/26/2019 ms.date: 02/26/2019
--- ---
# Create a Windows Information Protection (WIP) policy using System Center Configuration Manager # Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager
**Applies to:** **Applies to:**
- Windows 10, version 1607 and later - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later - Windows 10 Mobile, version 1607 and later
System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
## In this section ## In this section
|Topic |Description | |Topic |Description |
|------|------------| |------|------------|
|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). | |[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |

2
windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
View File

@ -1,6 +1,6 @@
--- ---
title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10) title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
description: Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy. description: Microsoft Intune and Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy.
ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6 ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.reviewer: ms.reviewer:
ms.prod: w10 ms.prod: w10

6
windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -42,7 +42,7 @@ Youll need this software to run WIP in your enterprise:
|Operating system | Management solution | |Operating system | Management solution |
|-----------------|---------------------| |-----------------|---------------------|
|Windows 10, version 1607 or later | Microsoft Intune<br><br>-OR-<br><br>System Center Configuration Manager<br><br>-OR-<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt697634.aspx) documentation.| |Windows 10, version 1607 or later | Microsoft Intune<br><br>-OR-<br><br>Microsoft Endpoint Configuration Manager<br><br>-OR-<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt697634.aspx) documentation.|
## What is enterprise data control? ## What is enterprise data control?
Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people cant share anything and its all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure. Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people cant share anything and its all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.
@ -79,7 +79,7 @@ WIP provides:
- Use of audit reports for tracking issues and remedial actions. - Use of audit reports for tracking issues and remedial actions.
- Integration with your existing management system (Microsoft Intune, System Center Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company. - Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company.
## Why use WIP? ## Why use WIP?
WIP is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune). WIP is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
@ -110,7 +110,7 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give
- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. - **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
>[!NOTE] >[!NOTE]
>For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.<br>System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. >For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.<br>Microsoft Endpoint Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
## How WIP works ## How WIP works
WIP helps address your everyday challenges in the enterprise. Including: WIP helps address your everyday challenges in the enterprise. Including:

2
windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
View File

@ -56,7 +56,7 @@ You can try any of the processes included in these scenarios, but you should foc
<td>Create work documents in enterprise-allowed apps.</td> <td>Create work documents in enterprise-allowed apps.</td>
<td><strong>For desktop:</strong><br><br> <td><strong>For desktop:</strong><br><br>
<ul> <ul>
<li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br><strong>Important</strong><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either <a href="create-wip-policy-using-intune-azure.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)">Create a Windows Information Protection (WIP) policy using Microsoft Intune</a> or <a href="create-wip-policy-using-sccm.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager](create-wip-policy-using-sccm.md)">Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager</a>, based on your deployment system.</li> <li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br><strong>Important</strong><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either <a href="create-wip-policy-using-intune-azure.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)">Create a Windows Information Protection (WIP) policy using Microsoft Intune</a> or <a href="create-wip-policy-using-sccm.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md)">Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager</a>, based on your deployment system.</li>
</ul> </ul>
<strong>For mobile:</strong><br><br> <strong>For mobile:</strong><br><br>
<ol> <ol>

6
windows/security/threat-protection/TOC.md
View File

@ -279,7 +279,7 @@
#### [Manage antivirus in your business]() #### [Manage antivirus in your business]()
##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) ##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
##### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) ##### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) ##### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
##### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) ##### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) ##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) ##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
@ -305,7 +305,7 @@
#### [Manage next generation protection in your business]() #### [Manage next generation protection in your business]()
##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) ##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
##### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) ##### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
##### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) ##### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
##### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) ##### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) ##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
@ -342,7 +342,7 @@
##### [Onboard Windows 10 machines]() ##### [Onboard Windows 10 machines]()
###### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md) ###### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md)
###### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md) ###### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md)
###### [Onboard machines using System Center Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md) ###### [Onboard machines using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md)
###### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md) ###### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md)
###### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script.md) ###### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script.md)
###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi.md) ###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi.md)

6
windows/security/threat-protection/auditing/audit-authorization-policy-change.md
View File

@ -25,9 +25,9 @@ Audit Authorization Policy Change allows you to audit assignment and removal of
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Domain Controller | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Member Server | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Workstation | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:** **Events List:**

6
windows/security/threat-protection/auditing/audit-token-right-adjusted.md
View File

@ -16,9 +16,9 @@ For more information, see [Security Monitoring: A Possible New Way to Detect Pri
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Domain Controller | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Member Server | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Workstation | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:** **Events List:**

4
windows/security/threat-protection/auditing/event-4703.md
View File

@ -26,7 +26,7 @@ ms.author: dansimp
***Event Description:*** ***Event Description:***
This event generates when [token privileges](https://msdn.microsoft.com/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific accounts token. As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703. This event generates when [token privileges](https://msdn.microsoft.com/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific accounts token. As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. > **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@ -185,7 +185,7 @@ Token privileges provide the ability to take certain system-level actions that y
For 4703(S): A user right was adjusted. For 4703(S): A user right was adjusted.
As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory, [Audit Authorization Policy Change](audit-authorization-policy-change.md), or work with a very high volume of event 4703. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory, [Audit Authorization Policy Change](audit-authorization-policy-change.md), or work with a very high volume of event 4703.
Otherwise, see the recommendations in the following table. Otherwise, see the recommendations in the following table.

2
windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -43,7 +43,7 @@ To enable HVCI on Windows 10 devices with supporting hardware throughout an ente
- [Windows Security app](#windows-security-app) - [Windows Security app](#windows-security-app)
- [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune) - [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune)
- [Group Policy](#enable-hvci-using-group-policy) - [Group Policy](#enable-hvci-using-group-policy)
- [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/) - [Microsoft Endpoint Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
- [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity) - [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity)
### Windows Security app ### Windows Security app

2
windows/security/threat-protection/get-support-for-security-baselines.md
View File

@ -40,7 +40,7 @@ The toolkit supports formats created by the Windows GPO backup feature (.pol, .i
Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features. Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features.
**Does SCT support the creation of System Center Configuration Manager (SCCM) DCM packs?** **Does SCT support the creation of Microsoft Endpoint Configuration Manager DCM packs?**
No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement). No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).

4
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
View File

@ -81,7 +81,7 @@ The "engine version" of attack surface reduction events in the event log, is gen
## Attack surface reduction rules ## Attack surface reduction rules
The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs: The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs:
Rule name | GUID | File & folder exclusions Rule name | GUID | File & folder exclusions
-----------|------|-------------------------- -----------|------|--------------------------
@ -261,7 +261,7 @@ This rule blocks processes through PsExec and WMI commands from running, to prev
> File and folder exclusions do not apply to this attack surface reduction rule. > File and folder exclusions do not apply to this attack surface reduction rule.
> [!WARNING] > [!WARNING]
> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly. > Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019 This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019

6
windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configure Threat & Vulnerability Management in Microsoft Defender ATP title: Configure Threat & Vulnerability Management in Microsoft Defender ATP
ms.reviewer: ms.reviewer:
description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft System Center Configuration Manager (SCCM) integrations. description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft Endpoint Configuration Manager integrations.
keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM
search.product: Windows 10 search.product: Windows 10
search.appverid: met150 search.appverid: met150
@ -23,13 +23,13 @@ ms.topic: article
[!include[Prerelease information](../../includes/prerelease.md)] [!include[Prerelease information](../../includes/prerelease.md)]
This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM) for a seamless collaboration of issue remediation. This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft Endpoint Configuration Manager for a seamless collaboration of issue remediation.
### Before you begin ### Before you begin
> [!IMPORTANT] > [!IMPORTANT]
> Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices threat and vulnerability exposure data.</br> > Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices threat and vulnerability exposure data.</br>
Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM). Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft Endpoint Configuration Manager.
>[!WARNING] >[!WARNING]
>Only Intune and SCCM enrolled devices are supported in this scenario.</br> >Only Intune and SCCM enrolled devices are supported in this scenario.</br>

2
windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
View File

@ -23,7 +23,7 @@ ms.date: 07/01/2018
You can configure attack surface reduction with a number of tools, including: You can configure attack surface reduction with a number of tools, including:
* Microsoft Intune * Microsoft Intune
* System Center Configuration Manager * Microsoft Endpoint Configuration Manager
* Group Policy * Group Policy
* PowerShell cmdlets * PowerShell cmdlets

2
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
View File

@ -150,7 +150,7 @@ With Group Policy there isnt an option to monitor deployment of policies on t
## Related topics ## Related topics
- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md) - [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md)

2
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
View File

@ -86,7 +86,7 @@ For more information on Microsoft Intune policy settings see, [Windows 10 policy
## Related topics ## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) - [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md) - [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md) - [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md)

32
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
View File

@ -1,6 +1,6 @@
--- ---
title: Onboard Windows 10 machines using System Center Configuration Manager title: Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager
description: Use System Center Configuration Manager to deploy the configuration package on machines so that they are onboarded to the service. description: Use Microsoft Endpoint Configuration Manager to deploy the configuration package on machines so that they are onboarded to the service.
keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines, sccm keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines, sccm
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
search.appverid: met150 search.appverid: met150
@ -18,7 +18,7 @@ ms.topic: article
ms.date: 12/11/2018 ms.date: 12/11/2018
--- ---
# Onboard Windows 10 machines using System Center Configuration Manager # Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager
**Applies to:** **Applies to:**
@ -31,8 +31,8 @@ ms.date: 12/11/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
<span id="sccm1606"/> <span id="sccm1606"/>
## Onboard Windows 10 machines using System Center Configuration Manager (current branch) version 1606 ## Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager (current branch) version 1606
System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Microsoft Defender ATP on machines. For more information, see <a href="https://go.microsoft.com/fwlink/p/?linkid=823682" data-raw-source="[Support for Microsoft Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682)">Support for Microsoft Defender Advanced Threat Protection service</a>. Microsoft Endpoint Configuration Manager (current branch) version 1606, has UI integrated support for configuring and managing Microsoft Defender ATP on machines. For more information, see <a href="https://go.microsoft.com/fwlink/p/?linkid=823682" data-raw-source="[Support for Microsoft Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682)">Support for Microsoft Defender Advanced Threat Protection service</a>.
>[!NOTE] >[!NOTE]
> If youre using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version. > If youre using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version.
@ -40,15 +40,15 @@ System Center Configuration Manager (SCCM) (current branch) version 1606, has UI
<span id="sccm1602"/> <span id="sccm1602"/>
## Onboard Windows 10 machines using System Center Configuration Manager earlier versions ## Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager earlier versions
You can use existing System Center Configuration Manager functionality to create a policy to configure your machines. This is supported in the following System Center Configuration Manager versions: You can use existing Microsoft Endpoint Configuration Manager functionality to create a policy to configure your machines. This is supported in the following Microsoft Endpoint Configuration Manager versions:
- System Center 2012 Configuration Manager - System Center 2012 Configuration Manager
- System Center 2012 R2 Configuration Manager - System Center 2012 R2 Configuration Manager
- System Center Configuration Manager (current branch), version 1511 - Microsoft Endpoint Configuration Manager (current branch), version 1511
- System Center Configuration Manager (current branch), version 1602 - Microsoft Endpoint Configuration Manager (current branch), version 1602
### Onboard machines using System Center Configuration Manager ### Onboard machines using Microsoft Endpoint Configuration Manager
1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): 1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
@ -76,7 +76,7 @@ You can use existing System Center Configuration Manager functionality to create
### Configure sample collection settings ### Configure sample collection settings
For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a machine. You can set a compliance rule for configuration item in Microsoft Endpoint Configuration Manager to change the sample share setting on a machine.
This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure theyre complaint. This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure theyre complaint.
The configuration is set through the following registry key entry: The configuration is set through the following registry key entry:
@ -94,11 +94,11 @@ Possible values are:
The default value in case the registry key doesnt exist is 1. The default value in case the registry key doesnt exist is 1.
For more information about System Center Configuration Manager Compliance see [Get started with compliance settings in System Center Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings). For more information about Microsoft Endpoint Configuration Manager Compliance see [Get started with compliance settings in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings).
## Offboard machines using System Center Configuration Manager ## Offboard machines using Microsoft Endpoint Configuration Manager
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
@ -111,7 +111,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
b. Select Windows 10 as the operating system. b. Select Windows 10 as the operating system.
c. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**. c. In the **Deployment method** field, select **Microsoft Endpoint Configuration Manager 2012/2012 R2/1511/1602**.
d. Click **Download package**, and save the .zip file. d. Click **Download package**, and save the .zip file.
@ -147,7 +147,7 @@ If there are failed deployments (machines with **Error**, **Requirements Not Met
![SCCM showing successful deployment with no errors](images/sccm-deployment.png) ![SCCM showing successful deployment with no errors](images/sccm-deployment.png)
**Check that the machines are compliant with the Microsoft Defender ATP service:**<br> **Check that the machines are compliant with the Microsoft Defender ATP service:**<br>
You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your deployment. You can set a compliance rule for configuration item in Microsoft Endpoint Configuration Manager to monitor your deployment.
This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines. This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines.
@ -157,7 +157,7 @@ Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”
Name: “OnboardingState” Name: “OnboardingState”
Value: “1” Value: “1”
``` ```
For more information about System Center Configuration Manager Compliance see [Get started with compliance settings in System Center Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings). For more information about Microsoft Endpoint Configuration Manager Compliance see [Get started with compliance settings in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings).
## Related topics ## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) - [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)

2
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
View File

@ -136,7 +136,7 @@ Monitoring can also be done directly on the portal, or by using the different de
## Related topics ## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) - [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md) - [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md)

2
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
View File

@ -94,7 +94,7 @@ The following steps will guide you through onboarding VDI machines and will high
## Related topics ## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) - [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md) - [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) - [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)