deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-17 15:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into mde-gov-updates

Browse Source
This commit is contained in:
Joey Caparas 2020-12-18 15:35:28 -08:00
commit 1fb7e0fbb3
83 changed files with 1225 additions and 771 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
browsers/edge/TOC.md
View File

@ -28,6 +28,6 @@
## [Change history for Microsoft Edge](change-history-for-microsoft-edge.md)
## [Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.yml)
## [Microsoft Edge Frequently Asked Questions (FAQ)](microsoft-edge-faq.yml)

2
browsers/edge/group-policies/sync-browser-settings-gp.md
View File

@ -38,7 +38,7 @@ You can find the Microsoft Edge Group Policy settings in the following location
To verify the settings:
1. In the upper-right corner of Microsoft Edge, click **More** \(**...**\).
2. Click **Settings**.
3. Under Account, see if the setting is toggled on or off.<p>![Verify configuration](../images/sync-settings.PNG)
3. Under Account, see if the setting is toggled on or off.<p>![Verify configuration](../images/sync-settings.png)
## Do not sync browser settings

0
browsers/edge/images/allow-smart-screen-validation.PNG → browsers/edge/images/allow-smart-screen-validation.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 14 KiB

0
browsers/edge/images/sync-settings.PNG → browsers/edge/images/sync-settings.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 14 KiB

2
browsers/edge/includes/configure-windows-defender-smartscreen-include.md
View File

@ -27,7 +27,7 @@ ms.topic: include
To verify Windows Defender SmartScreen is turned off (disabled):
1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
2. Verify the setting **Help protect me from malicious sites and download with Windows Defender SmartScreen** is disabled.<p>![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG)
2. Verify the setting **Help protect me from malicious sites and download with Windows Defender SmartScreen** is disabled.<p>![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.png)
### ADMX info and settings

21
browsers/edge/microsoft-edge-faq.yml
View File

@ -1,6 +1,6 @@
### YamlMime:FAQ
metadata:
title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros
title: Microsoft Edge - Frequently Asked Questions (FAQ) for IT Pros
ms.reviewer:
audience: itpro
manager: dansimp
@ -13,9 +13,9 @@ metadata:
ms.sitesec: library
ms.localizationpriority: medium
title: Frequently Asked Questions (FAQs) for IT Pros
title: Frequently Asked Questions (FAQ) for IT Pros
summary: |
>Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile
Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile
> [!NOTE]
> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
@ -49,21 +49,26 @@ sections:
To learn more about Microsoft's plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article).
- question: Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java?
answer: No, Microsoft Edge doesn't support ActiveX controls and BHOs like Silverlight or Java. If you're running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in Internet Explorer 11. Internet Explorer 11 offers additional security, manageability, performance, backward compatibility, and standards support.
answer: |
No, Microsoft Edge doesn't support ActiveX controls and Browser Helper Objects (BHOs) like Silverlight or Java. If you're running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in Internet Explorer 11. Internet Explorer 11 offers additional security, manageability, performance, backward compatibility, and standards support.
- question: How often will Microsoft Edge be updated?
answer: In Windows 10, we're delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence.
answer: |
In Windows 10, we're delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence.
- question: How can I provide feedback on Microsoft Edge?
answer: Microsoft Edge is an evergreen browser - we'll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar.
answer: |
Microsoft Edge is an evergreen browser - we'll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar.
- question: Will Internet Explorer 11 continue to receive updates?
answer: |
We're committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it's installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge.
- question: How do I find out which version of Microsoft Edge I have?
answer: In the upper-right corner of Microsoft Edge, select the ellipses icon (**...**), and then select **Settings**. Look in the **About Microsoft Edge** section to find your version.
answer: |
In the upper-right corner of Microsoft Edge, select the ellipses icon (**...**), and then select **Settings**. Look in the **About Microsoft Edge** section to find your version.
- question: What is Microsoft EdgeHTML?
answer: Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform (as opposed to *Microsoft Edge, based on Chromium*).
answer: |
Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform (as opposed to *Microsoft Edge, based on Chromium*).

1
windows/client-management/TOC.md
View File

@ -1,5 +1,6 @@
# [Manage clients in Windows 10](index.md)
## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
### [Use Quick Assist to help users](quick-assist.md)
## [Create mandatory user profiles](mandatory-user-profile.md)
## [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)

BIN
windows/client-management/images/quick-assist-flow.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

15
windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
View File

@ -1,24 +1,29 @@
---
title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal
description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal
description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: lomayor
ms.date: 01/17/2018
ms.date: 12/18/2020
ms.reviewer:
manager: dansimp
---
# Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal
Go to your Azure AD Blade, select the Mobility (MDM and MAM) and there should be the Microsoft Intune "App" Visible, select the Microsoft Intune and configure the Blade
> [!NOTE]
> Microsoft Intune portal can be accessed at the following link: [https://endpoint.microsoft.com](https://endpoint.microsoft.com).
1. Go to your Azure AD Blade.
2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
3. Select **Microsoft Intune** and configure the blade.
![How to get to the Blade](images/azure-mdm-intune.png)
Configure the Blade
Configure the blade
![Configure the Blade](images/azure-intune-configure-scope.png)
Select all for allow all users to enroll a Device and make it Intune ready, or Some, then you can add a Group of Users.
You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users).

72
windows/client-management/mdm/policy-csp-experience.md
View File

@ -1227,76 +1227,6 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-disablecloudoptimizedcontent"></a>**Experience/DisableCloudOptimizedContent**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting lets you turn off cloud optimized content in all Windows experiences.
If you enable this policy setting, Windows experiences that use the cloud optimized content client component will present the default fallback content.
If you disable or do not configure this policy setting, Windows experiences will be able to use cloud optimized content.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Turn off cloud optimized content*
- GP name: *DisableCloudOptimizedContent*
- GP path: *Windows Components/Cloud Content*
- GP ADMX file name: *CloudContent.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) Disabled.
- 1 Enabled.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="experience-donotshowfeedbacknotifications"></a>**Experience/DoNotShowFeedbackNotifications**
@ -1428,7 +1358,7 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 (default) - Allowed/turned on. The "browser" group syncs automatically between users devices and lets users to make changes.
- 0 (default) - Allowed/turned on. The "browser" group synchronizes automatically between users' devices and lets users make changes.
- 2 - Prevented/turned off. The "browser" group does not use the _Sync your Settings_ option.

BIN
windows/client-management/media/image1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 62 KiB

121
windows/client-management/quick-assist.md Normal file
View File

@ -0,0 +1,121 @@
---
title: Use Quick Assist to help users
description: How IT Pros can use Quick Assist to help users
ms.prod: w10
ms.sitesec: library
ms.topic: article
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
manager: laurawi
---
# Use Quick Assist to help users
Quick Assist is a Windows 10 application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a users device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
## Before you begin
All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesnt have to authenticate.
### Authentication
The helper can authenticate when they sign in by using a Microsoft Account (MSA) or Azure Active Directory. Local Active Directory authentication is not supported at this time.
### Network considerations
Quick Assist communicates over port 443 (https) and connects to the Remote Assistance Service at `https://remoteassistance.support.services.microsoft.com` by using the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2.
Both the helper and sharer must be able to reach these endpoints over port 443:
| Domain/Name | Description |
|-----------------------------------|-------------------------------------------------------|
| \*.support.services.microsoft.com | Primary endpoint used for Quick Assist application |
| \*.resources.lync.com | Required for the Skype framework used by Quick Assist |
| \*.infra.lync.com | Required for the Skype framework used by Quick Assist |
| \*.latest-swx.cdn.skype.com | Required for the Skype framework used by Quick Assist |
| \*.login.microsoftonline.com | Required for logging in to the application (MSA) |
| \*.channelwebsdks.azureedge.net | Used for chat services within Quick Assist |
| \*.aria.microsoft.com | Used for accessibility features within the app |
| \*.api.support.microsoft.com | API access for Quick Assist |
| \*.vortex.data.microsoft.com | Used for diagnostic data |
| \*.channelservices.microsoft.com | Required for chat services within Quick Assist |
## How it works
1. Both the helper and the sharer start Quick Assist.
2. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer.
3. After the sharer enters the code in their Quick Assist app, Quick Assist uses that code to contact the Remote Assistance Service and join that specific session. The sharer's Quick Assist instance joins the RCC chat session.
4. The helper is prompted to select **View Only** or **Full Control**.
5. The sharer is prompted to confirm allowing the helper to share their desktop with the helper.
6. Quick Assist starts RDP control and connects to the RDP Relay service.
7. RDP shares the video to the helper over https (port 443) through the RDP relay service to the helper's RDP control. Input is shared from the helper to the sharer through the RDP relay service.
:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established":::
### Data and privacy
Microsoft logs a small amount of session data to monitor the health of the Quick Assist system. This data includes the following information:
- Start and end time of the session
- Errors arising from Quick Assist itself, such as unexpected disconnections
- Features used inside the app such as view only, annotation, and session pause
No logs are created on either the helpers or sharers device. Microsoft cannot access a session or view any actions or keystrokes that occur in the session.
The sharer sees only an abbreviated version of the helpers name (first name, last initial) and no other information about them. Microsoft does not store any data about either the sharer or the helper for longer than three days.
In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device.
## Working with Quick Assist
Either the support staff or a user can start a Quick Assist session.
1. Support staff (“helper”) starts Quick Assist in any of a few ways:
- Type *Quick Assist* in the search box and press ENTER.
- From the Start menu, select **Windows Accessories**, and then select **Quick Assist**.
- Type CTRL+Windows+Q
2. In the **Give assistance** section, helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code.
3. Helper shares the security code with the user over the phone or with a messaging system.
4. Quick Assist opens on the sharers device. The user enters the provided code in the **Code from assistant** box, and then selects **Share screen**.
5. The helper receives a dialog offering the opportunity to take full control of the device or just view its screen. After choosing, the helper selects **Continue**.
6. The sharer receives a dialog asking for permission to show their screen or allow access. The sharer gives permission by selecting the **Allow** button.
## If Quick Assist is missing
If for some reason a user doesn't have Quick Assist on their system or it's not working properly, they might need to uninstall and reinstall it.
### Uninstall Quick Assist
1. Start the Settings app, and then select **Apps**.
2. Select **Optional features**.
3. In the **Installed features** search bar, type *Quick Assist*.
4. Select **Microsoft Quick Assist**, and then select **Uninstall**.
### Reinstall Quick Assist
1. Start the Settings app, and then select **Apps**.
2. Select **Optional features**.
3. Select **Add a feature**.
4. In the new dialog that opens, in the **Add an optional feature** search bar, type *Quick Assist*.
5. Select the check box for **Microsoft Quick Assist**, and then select **Install**.
6. Restart the device.
## Next steps
If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://www.microsoft.com/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0&rtc=1#activetab=pivot:overviewtab).

BIN
windows/configuration/images/configmgr-assets.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 131 KiB

0
windows/deployment/images/mbr2gpt-volume.PNG → windows/deployment/images/mbr2gpt-volume.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 16 KiB

2
windows/deployment/mbr-to-gpt.md
View File

@ -376,7 +376,7 @@ Number Friendly Name Serial Number HealthStatus OperationalStatus To
You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example:
![Volumes](images/mbr2gpt-volume.PNG)
![Volumes](images/mbr2gpt-volume.png)
If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example:

BIN
windows/media/phase-diagrams/deployment-phases.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.6 KiB

BIN
windows/media/phase-diagrams/migration-phases.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.6 KiB

BIN
windows/media/phase-diagrams/onboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.9 KiB

BIN
windows/media/phase-diagrams/prepare.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 KiB

BIN
windows/media/phase-diagrams/setup.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.5 KiB

173
windows/security/identity-protection/hello-for-business/hello-faq.md
View File

@ -1,173 +0,0 @@
---
title: Windows Hello for Business Frequently Asked Questions
description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
audience: ITPro
author: mapalko
ms.author: mapalko
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
# Windows Hello for Business Frequently Asked Questions
**Applies to**
- Windows 10
## What about virtual smart cards?
Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends new Windows 10 deployments to use Windows Hello for Business. Virtual smart card remain supported for Windows 7 and Windows 8.
## What about convenience PIN?
Microsoft is committed to its vision of a <u>world without passwords.</u> We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business.
## Can I use Windows Hello for Business key trust and RDP?
RDP currently does not support using key based authentication and self signed certificates as supplied credentials. RDP with supplied credentials Windows Hello for Business is currently only supported with certificate based deployments. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
## Can I deploy Windows Hello for Business using Microsoft Endpoint Configuration Manager?
Windows Hello for Business deployments using Configuration Manager should use the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-hello-for-business-settings).
## How many users can enroll for Windows Hello for Business on a single Windows 10 computer?
The maximum number of supported enrollments on a single Windows 10 computer is 10. That enables 10 users to each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available.
## How can a PIN be more secure than a password?
When using Windows Hello for Business, the PIN is not a symmetric key where is the password is a symmetric key. With passwords, there is a server that has some representation of the password. With Windows Hello for Business, the PIN is user provided entropy used to load the private key in the TPM. The server does not have a copy of the PIN. For that matter, the Windows client does not have a copy of the current PIN either. The user must provide the entropy, the TPM protected key, and the TPM that generated that key to successfully have access to the private key.
The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It is about the difference of providing entropy vs continuing the use of a symmetric key (the password). The TPM has anti-hammering features which thwart brute-force PIN attacks (an attackers continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increased the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
## Why is the Key Admins group missing, I have Windows Server 2016 domain controller(s)?
The **Key Admins** and **Enterprise Key Admins** groups are created when you install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server cannot translate the security identifier (SID) to a name. To resolve this, transfer the PDC emulator domain role to a domain controller running Windows Server 2016.
## Can I use a convenience PIN with Azure AD?
It is currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts (synchronized identities included). It is only supported for on-premises Domain Joined users and local account users.
## Can I use an external camera when my laptop is closed or docked?
No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further.
## Why does authentication fail immediately after provisioning Hybrid Key Trust?
In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle.
## What is the password-less strategy?
Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**.
[Microsoft's password-less strategy](hello-videos.md#microsofts-passwordless-strategy)
## What is the user experience for Windows Hello for Business?
The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment.
[Windows Hello for Business user enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience)
## What happens when my user forgets their PIN?
If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with Windows 10 1709, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider.
[Windows Hello for Business forgotten PIN user experience](hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience)
For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network.
## What URLs do I need to allow for a hybrid deployment?
Communicating with Azure Active Directory uses the following URLs:
- enterpriseregistration.windows.net
- login.microsoftonline.com
- login.windows.net
- account.live.com
- accountalt.azureedge.net
- secure.aadcdn.microsoftonline-p.com
If your environment uses Microsoft Intune, you need these additional URLs:
- enrollment.manage.microsoft.com
- portal.manage.microsoft.com
## What is the difference between non-destructive and destructive PIN reset?
Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 Enterprise and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provided a second factor of authentication, and reset their PIN without re-provisioning a new Windows Hello for Business enrollment. This is a non-destructive PIN reset because the user does not delete the current credential and obtain a new one. Read [PIN Reset](hello-feature-pin-reset.md) page for more information.
Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. with destructive PIN reset, users that have forgotten their PIN can authenticate using their password, perform a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
## Which is better or more secure: Key trust or Certificate trust?
The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types are:
- Required domain controllers
- Issuing end entity certificates
The **key trust** model authenticates to Active Directory using a raw key. Windows Server 2016 domain controllers enables this authentication. Key trust authenticate does not require an enterprise issued certificate, therefore you do not need to issue certificates to your end users (domain controller certificates are still needed).
The **certificate trust** model authenticates to Active Directory using a certificate. Because this authentication uses a certificate, domain controllers running previous versions of Windows Server can authenticate the user. Therefore, you need to issue certificates to your end users, but you do not need Windows Server 2016 domain controllers. The certificate used in certificate trust uses the TPM protected private key to request a certificate from your enterprise's issuing certificate authority.
## Do I need Windows Server 2016 domain controllers?
There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment.
## What attributes are synchronized by Azure AD Connect with Windows Hello for Business?
Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that are sync based on scenarios. The base scenarios that include Windows Hello for Business are [Windows 10](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include additional attributes.
## Is Windows Hello for Business multifactor authentication?
Windows Hello for Business is two-factor authentication based on the observed authentication factors of: something you have, something you know, and something part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
## What are the biometric requirements for Windows Hello for Business?
Read [Windows Hello biometric requirements](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information.
## Can I use both a PIN and biometrics to unlock my device?
Starting in Windows 10, version 1709, you can use multi-factor unlock to require the user to provide an additional factor to unlock the device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. Read more about [multifactor unlock](feature-multifactor-unlock.md).
## What is the difference between Windows Hello and Windows Hello for Business?
Windows Hello represents the biometric framework provided in Windows 10. Windows Hello enables users to use biometrics to sign into their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.
## Why can't I enroll biometrics for my local built-in Administrator?
Windows 10 does not allow the local administrator to enroll biometric gestures (face or fingerprint).
## I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model?
No. If your organization is federated or using on-line services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organization who need more time before moving to the cloud and exclusively use Active Directory.
## Does Windows Hello for Business prevent the use of simple PINs?
Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. The algorithm counts the number of steps required to reach the next digit, overflowing at ten ('zero').
So, for example:
* The PIN 1111 has a constant delta of (0,0,0), so it is not allowed
* The PIN 1234 has a constant delta of (1,1,1), so it is not allowed
* The PIN 1357 has a constant delta of (2,2,2), so it is not allowed
* The PIN 9630 has a constant delta of (7,7,7), so it is not allowed
* The PIN 1593 has a constant delta of (4,4,4), so it is not allowed
* The PIN 7036 has a constant delta of (3,3,3), so it is not allowed
* The PIN 1231 does not have a constant delta (1,1,8), so it is allowed
* The PIN 1872 does not have a constant delta (7,9,5), so it is allowed
This prevents repeating numbers, sequential numbers, and simple patterns.
It always results in a list of 100 disallowed PINs (independent of the PIN length).
This algorithm does not apply to alphanumeric PINs.
## How does PIN caching work with Windows Hello for Business?
Windows Hello for Business provides a PIN caching user experience using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting as long as the user is interactively signed-in. Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key.
Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations will not prompt the user for the PIN.
The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process does not receive the PIN, but rather the ticket that grants them private key operations. Windows 10 does not provide any Group Policy settings to adjust this caching.
## Can I disable the PIN while using Windows Hello for Business?
No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurrence where you cannot authenticate with biometrics, you need a fallback mechanism that is not a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics.
## How are keys protected?
Wherever possible, Windows Hello for Business takes advantage of trusted platform module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business does not require a TPM. Administrators can choose to allow key operations in software.
Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to re-authenticate to the IDP before the IDP allows him or her to re-register).
## Can Windows Hello for Business work in air-gapped environments?
Yes. You can use the on-premises Windows Hello for Business deployment and combine it with a third-party MFA provider that does not require Internet connectivity to achieve an air-gapped Windows Hello for Business deployment.
## Can I use third-party authentication providers with Windows Hello for Business?
Yes, if you are federated hybrid deployment, you can use any third-party that provides an Active Directory Federation Services (AD FS) multi-factor authentication adapter. A list of third-party MFA adapters can be found [here](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
## Does Windows Hello for Business work with third party federation servers?
Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
| Protocol | Description |
| :---: | :--- |
| [[MS-KPP]: Key Provisioning Protocol](https://msdn.microsoft.com/library/mt739755.aspx) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. |
| [[MS-OAPX]: OAuth 2.0 Protocol Extensions](https://msdn.microsoft.com/library/dn392779.aspx)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. |
| [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](https://msdn.microsoft.com/library/mt590278.aspx) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (The OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. |
| [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the end user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enable the discovery of the issuer of access tokens and give additional information about provider capabilities. |
## Does Windows Hello for Business work with Mac and Linux clients?
Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).

208
windows/security/identity-protection/hello-for-business/hello-faq.yml Normal file
View File

@ -0,0 +1,208 @@
### YamlMime:FAQ
metadata:
title: Windows Hello for Business Frequently Asked Questions (FAQ)
description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
audience: ITPro
author: mapalko
ms.author: mapalko
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
title: Windows Hello for Business Frequently Asked Questions (FAQ)
summary: |
Applies to: Windows 10
sections:
- name: Ignored
questions:
- question: What about virtual smart cards?
answer: |
Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows 10 deployments use Windows Hello for Business. Virtual smart card remain supported for Windows 7 and Windows 8.
- question: What about convenience PIN?
answer: |
Microsoft is committed to its vision of a <u>world without passwords.</u> We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends that customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business.
- question: Can I use Windows Hello for Business key trust and RDP?
answer: |
Remote Desktop Protocol (RDP) does not currently support using key-based authentication and self-signed certificates as supplied credentials. RDP with supplied credentials is currently only supported with certificate-based deployments. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
- question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager?
answer: |
Windows Hello for Business deployments using Configuration Manager should follow the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-hello-for-business-settings).
- question: How many users can enroll for Windows Hello for Business on a single Windows 10 computer?
answer: |
The maximum number of supported enrollments on a single Windows 10 computer is 10. This lets 10 users each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available.
- question: How can a PIN be more secure than a password?
answer: |
When using Windows Hello for Business, the PIN is not a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server does not have a copy of the PIN. For that matter, the Windows client does not have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key.
The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
- question: I have Windows Server 2016 domain controller(s), so why is the Key Admins group missing?
answer: |
The **Key Admins** and **Enterprise Key Admins** groups are created when you install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server cannot translate the security identifier (SID) to a name. To resolve this, transfer the PDC emulator domain role to a domain controller running Windows Server 2016.
- question: Can I use a convenience PIN with Azure Active Directory?
answer: |
It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users.
- question: Can I use an external camera when my laptop is closed or docked?
answer: |
No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further.
- question: Why does authentication fail immediately after provisioning hybrid key trust?
answer: |
In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle.
- question: What is the password-less strategy?
answer: |
Watch Principal Program Manager Karanbir Singh's **Microsoft's guide for going password-less** Ignite 2017 presentation.
[Microsoft's password-less strategy](hello-videos.md#microsofts-passwordless-strategy)
- question: What is the user experience for Windows Hello for Business?
answer: |
The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment.
[Windows Hello for Business user enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience)
- question: What happens when a user forgets their PIN?
answer: |
If the user can sign-in with a password, they can reset their PIN by selecting the "I forgot my PIN" link in Settings. Beginning with Windows 10 1709, users can reset their PIN above the lock screen by selecting the "I forgot my PIN" link on the PIN credential provider.
[Windows Hello for Business forgotten PIN user experience](hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience)
For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network.
- question: What URLs do I need to allow for a hybrid deployment?
answer: |
Communicating with Azure Active Directory uses the following URLs:
- enterpriseregistration.windows.net
- login.microsoftonline.com
- login.windows.net
- account.live.com
- accountalt.azureedge.net
- secure.aadcdn.microsoftonline-p.com
If your environment uses Microsoft Intune, you need these additional URLs:
- enrollment.manage.microsoft.com
- portal.manage.microsoft.com
- question: What's the difference between non-destructive and destructive PIN reset?
answer: |
Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 Enterprise and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once onboarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without re-provisioning a new Windows Hello for Business enrollment. This is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md).
Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
- question: |
Which is better or more secure: key trust or certificate trust?
answer: |
The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types are:
- Required domain controllers
- Issuing end entity certificates
The **key trust** model authenticates to Active Directory by using a raw key. Windows Server 2016 domain controllers enable this authentication. Key trust authenticate does not require an enterprise issued certificate, therefore you don't need to issue certificates to users (domain controller certificates are still needed).
The **certificate trust** model authenticates to Active Directory by using a certificate. Because this authentication uses a certificate, domain controllers running previous versions of Windows Server can authenticate the user. Therefore, you need to issue certificates to users, but you don't need Windows Server 2016 domain controllers. The certificate used in certificate trust uses the TPM-protected private key to request a certificate from your enterprise's issuing certificate authority.
- question: Do I need Windows Server 2016 domain controllers?
answer: |
There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you've deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment.
- question: What attributes are synchronized by Azure AD Connect with Windows Hello for Business?
answer: |
Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include additional attributes.
- question: Is Windows Hello for Business multifactor authentication?
answer: |
Windows Hello for Business is two-factor authentication based on the observed authentication factors of: something you have, something you know, and something that's part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
- question: What are the biometric requirements for Windows Hello for Business?
answer: |
Read [Windows Hello biometric requirements](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information.
- question: Can I use both a PIN and biometrics to unlock my device?
answer: |
Starting in Windows 10, version 1709, you can use multi-factor unlock to require users to provide an additional factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md).
- question: What's the difference between Windows Hello and Windows Hello for Business?
answer: |
Windows Hello represents the biometric framework provided in Windows 10. Windows Hello lets users use biometrics to sign in to their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.
- question: Why can't I enroll biometrics for my local, built-in administrator?
answer: |
Windows 10 does not allow the local administrator to enroll biometric gestures (face or fingerprint).
- question: I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model?
answer: |
No. If your organization is federated or using online services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory.
- question: Does Windows Hello for Business prevent the use of simple PINs?
answer: |
Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. The algorithm counts the number of steps required to reach the next digit, overflowing at ten ('zero').
So, for example:
- The PIN 1111 has a constant delta of (0,0,0), so it is not allowed
- The PIN 1234 has a constant delta of (1,1,1), so it is not allowed
- The PIN 1357 has a constant delta of (2,2,2), so it is not allowed
- The PIN 9630 has a constant delta of (7,7,7), so it is not allowed
- The PIN 1593 has a constant delta of (4,4,4), so it is not allowed
- The PIN 7036 has a constant delta of (3,3,3), so it is not allowed
- The PIN 1231 does not have a constant delta (1,1,8), so it is allowed
- The PIN 1872 does not have a constant delta (7,9,5), so it is allowed
This prevents repeating numbers, sequential numbers, and simple patterns. It always results in a list of 100 disallowed PINs (independent of the PIN length). This algorithm does not apply to alphanumeric PINs.
- question: How does PIN caching work with Windows Hello for Business?
answer: |
Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key.
Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations will not prompt the user for the PIN.
The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process does not receive the PIN, but rather the ticket that grants them private key operations. Windows 10 does not provide any Group Policy settings to adjust this caching.
- question: Can I disable the PIN while using Windows Hello for Business?
answer: |
No. The movement away from passwords is accomplished by gradually reducing the use of the password. In situations where you can't authenticate by using biometrics, you need a fallback mechanism that is not a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics.
- question: How are keys protected?
answer: |
Wherever possible, Windows Hello for Business takes advantage of Trusted Platform Module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business do not require a TPM. Administrators can choose to allow key operations in software.
Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will need to reset the PIN (which means they'll need to use MFA to re-authenticate to the IDP before the IDP allows them to re-register).
- question: Can Windows Hello for Business work in air-gapped environments?
answer: |
Yes. You can use the on-premises Windows Hello for Business deployment and combine it with a third-party MFA provider that does not require internet connectivity to achieve an air-gapped Windows Hello for Business deployment.
- question: Can I use third-party authentication providers with Windows Hello for Business?
answer: |
Yes, if you're using federated hybrid deployment, you can use any third-party that provides an Active Directory Federation Services (AD FS) multi-factor authentication adapter. A list of third-party MFA adapters can be found [here](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
- question: Does Windows Hello for Business work with third-party federation servers?
answer: |
Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).<br><br>
| Protocol | Description |
| :---: | :--- |
| [[MS-KPP]: Key Provisioning Protocol](https://msdn.microsoft.com/library/mt739755.aspx) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. |
| [[MS-OAPX]: OAuth 2.0 Protocol Extensions](https://msdn.microsoft.com/library/dn392779.aspx)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. |
| [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](https://msdn.microsoft.com/library/mt590278.aspx) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (the OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. |
| [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enables the discovery of the issuer of access tokens and gives additional information about provider capabilities. |
- question: Does Windows Hello for Business work with Mac and Linux clients?
answer: |
Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).

2
windows/security/identity-protection/hello-for-business/toc.md
View File

@ -63,7 +63,7 @@
## [Windows Hello and password changes](hello-and-password-changes.md)
## [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
## [Windows Hello for Business Frequently Asked Questions (FAQ)](hello-faq.md)
## [Windows Hello for Business Frequently Asked Questions (FAQ)](hello-faq.yml)
### [Windows Hello for Business Videos](hello-videos.md)
## [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)

4
windows/security/information-protection/TOC.md
View File

@ -3,9 +3,9 @@
## [BitLocker](bitlocker\bitlocker-overview.md)
### [Overview of BitLocker Device Encryption in Windows 10](bitlocker\bitlocker-device-encryption-overview-windows-10.md)
### [BitLocker frequently asked questions (FAQ)](bitlocker\bitlocker-frequently-asked-questions.md)
#### [Overview and requirements](bitlocker\bitlocker-overview-and-requirements-faq.md)
#### [Overview and requirements](bitlocker\bitlocker-overview-and-requirements-faq.yml)
#### [Upgrading](bitlocker\bitlocker-upgrading-faq.md)
#### [Deployment and administration](bitlocker\bitlocker-deployment-and-administration-faq.md)
#### [Deployment and administration](bitlocker\bitlocker-deployment-and-administration-faq.yml)
#### [Key management](bitlocker\bitlocker-key-management-faq.md)
#### [BitLocker To Go](bitlocker\bitlocker-to-go-faq.md)
#### [Active Directory Domain Services](bitlocker\bitlocker-and-adds-faq.md)

101
windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
View File

@ -1,101 +0,0 @@
---
title: BitLocker deployment and administration FAQ (Windows 10)
description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?"
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
---
# BitLocker frequently asked questions (FAQ)
**Applies to**
- Windows 10
## Can BitLocker deployment be automated in an enterprise environment?
Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](https://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/bitlocker/index?view=win10-ps).
## Can BitLocker encrypt more than just the operating system drive?
Yes.
## Is there a noticeable performance impact when BitLocker is enabled on a computer?
Generally it imposes a single-digit percentage performance overhead.
## How long will initial encryption take when BitLocker is turned on?
Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting large drives, you may want to set encryption to occur during times when you will not be using the drive.
You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
## What happens if the computer is turned off during encryption or decryption?
If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.
## Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
## How can I prevent users on a network from storing data on an unencrypted drive?
You can configure Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.
## What is Used Disk Space Only encryption?
BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption).
## What system changes would cause the integrity check on my operating system drive to fail?
The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
- Moving the BitLocker-protected drive into a new computer.
- Installing a new motherboard with a new TPM.
- Turning off, disabling, or clearing the TPM.
- Changing any boot configuration settings.
- Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
## What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode.
For example:
- Changing the BIOS boot order to boot another drive in advance of the hard drive.
- Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards.
- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password.
The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
## What can prevent BitLocker from binding to PCR 7?
BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it.
## Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive. So if you want to prepare a backup operating system or data drive in case a disk fails, make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
## Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
## Why is "Turn BitLocker on" not available when I right-click a drive?
Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted.
## What type of disk configurations are supported by BitLocker?
Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.

97
windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml Normal file
View File

@ -0,0 +1,97 @@
### YamlMime:FAQ
metadata:
title: BitLocker deployment and administration FAQ (Windows 10)
description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?"
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
title: BitLocker frequently asked questions (FAQ)
summary: |
**Applies to**
- Windows 10
sections:
- name: Ignored
questions:
- question: Can BitLocker deployment be automated in an enterprise environment?
answer: |
Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](https://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/bitlocker/index?view=win10-ps).
- question: Can BitLocker encrypt more than just the operating system drive?
answer: Yes.
- question: Is there a noticeable performance impact when BitLocker is enabled on a computer?
answer: Generally it imposes a single-digit percentage performance overhead.
- question: How long will initial encryption take when BitLocker is turned on?
answer: |
Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting large drives, you may want to set encryption to occur during times when you will not be using the drive.
You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
- question: What happens if the computer is turned off during encryption or decryption?
answer: If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.
- question: Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
answer: No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
- question: How can I prevent users on a network from storing data on an unencrypted drive?
answer: |
You can configure Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.
- question: What is Used Disk Space Only encryption?
answer: |
BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption).
- question: What system changes would cause the integrity check on my operating system drive to fail?
answer: |
The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
- Moving the BitLocker-protected drive into a new computer.
- Installing a new motherboard with a new TPM.
- Turning off, disabling, or clearing the TPM.
- Changing any boot configuration settings.
- Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
- question: What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
answer: |
Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode.
For example:
- Changing the BIOS boot order to boot another drive in advance of the hard drive.
- Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards.
- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password.
The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
- question: What can prevent BitLocker from binding to PCR 7?
answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it.
- question: Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
answer: Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive. So if you want to prepare a backup operating system or data drive in case a disk fails, make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
- question: Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
answer: Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
- question: Why is "Turn BitLocker on" not available when I right-click a drive?
answer: Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted.
- question: What type of disk configurations are supported by BitLocker?
answer: Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.

4
windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
View File

@ -25,9 +25,9 @@ ms.custom: bitlocker
This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
- [Overview and requirements](bitlocker-overview-and-requirements-faq.md)
- [Overview and requirements](bitlocker-overview-and-requirements-faq.yml)
- [Upgrading](bitlocker-upgrading-faq.md)
- [Deployment and administration](bitlocker-deployment-and-administration-faq.md)
- [Deployment and administration](bitlocker-deployment-and-administration-faq.yml)
- [Key management](bitlocker-key-management-faq.md)
- [BitLocker To Go](bitlocker-to-go-faq.md)
- [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.md)

82
windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
View File

@ -1,82 +0,0 @@
---
title: BitLocker overview and requirements FAQ (Windows 10)
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
---
# BitLocker Overview and Requirements FAQ
**Applies to**
- Windows 10
## How does BitLocker work?
**How BitLocker works with operating system drives**
You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
**How BitLocker works with fixed and removable data drives**
You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods.
## Does BitLocker support multifactor authentication?
Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection.
## What are the BitLocker hardware and software requirements?
For requirements, see [System requirements](bitlocker-overview.md#system-requirements).
> [!NOTE]
> Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it cannot be protected by BitLocker.
## Why are two partitions required? Why does the system drive have to be so large?
Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
## Which Trusted Platform Modules (TPMs) does BitLocker support?
BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device.
> [!NOTE]
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
## How can I tell if a TPM is on my computer?
Beginning with Windows 10, version 1803, you can check TPM status in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading.
## Can I use BitLocker on an operating system drive without a TPM?
Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.
To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
## How do I obtain BIOS support for the TPM on my computer?
Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
- It is compliant with the TCG standards for a client computer.
- It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
## What credentials are required to use BitLocker?
To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
## What is the recommended boot order for computers that are going to be BitLocker-protected?
You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked. 

82
windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml Normal file
View File

@ -0,0 +1,82 @@
### YamlMime:FAQ
metadata:
title: BitLocker overview and requirements FAQ (Windows 10)
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
title: BitLocker Overview and Requirements FAQ
summary: |
**Applies to**
- Windows 10
sections:
- name: Ignored
questions:
- question: How does BitLocker work?
answer: |
**How BitLocker works with operating system drives**
You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
**How BitLocker works with fixed and removable data drives**
You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods.
- question: Does BitLocker support multifactor authentication?
answer: Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection.
- question: What are the BitLocker hardware and software requirements?
answer: |
For requirements, see [System requirements](bitlocker-overview.md#system-requirements).
> [!NOTE]
> Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it cannot be protected by BitLocker.
- question: Why are two partitions required? Why does the system drive have to be so large?
answer: Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
- question: Which Trusted Platform Modules (TPMs) does BitLocker support?
answer: |
BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device.
> [!NOTE]
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
>
> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
- question: How can I tell if a TPM is on my computer?
answer: Beginning with Windows 10, version 1803, you can check TPM status in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading.
- question: Can I use BitLocker on an operating system drive without a TPM?
answer: |
Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.
To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
- question: How do I obtain BIOS support for the TPM on my computer?
answer: |
Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
- It is compliant with the TCG standards for a client computer.
- It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
- question: What credentials are required to use BitLocker?
answer: To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
- question: What is the recommended boot order for computers that are going to be BitLocker-protected?
answer: You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked. 

10
windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
View File

@ -339,7 +339,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** The hint for the Microsoft Account and the custom URL are displayed.
![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.PNG)
![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.png)
#### Example 2 (single recovery key with single backup)
@ -354,7 +354,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** Only the custom URL is displayed.
![Example 2 of customized BitLocker recovery screen](./images/rp-example2.PNG)
![Example 2 of customized BitLocker recovery screen](./images/rp-example2.png)
#### Example 3 (single recovery key with multiple backups)
@ -369,7 +369,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** Only the Microsoft Account hint is displayed.
![Example 3 of customized BitLocker recovery screen](./images/rp-example3.PNG)
![Example 3 of customized BitLocker recovery screen](./images/rp-example3.png)
#### Example 4 (multiple recovery passwords)
@ -399,7 +399,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key.
![Example 4 of customized BitLocker recovery screen](./images/rp-example4.PNG)
![Example 4 of customized BitLocker recovery screen](./images/rp-example4.png)
#### Example 5 (multiple recovery passwords)
@ -429,7 +429,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** The hint for the most recent key is displayed.
![Example 5 of customized BitLocker recovery screen](./images/rp-example5.PNG)
![Example 5 of customized BitLocker recovery screen](./images/rp-example5.png)
## <a href="" id="bkmk-usingaddrecovery"></a>Using additional recovery information

0
windows/security/information-protection/bitlocker/images/rp-example1.PNG → windows/security/information-protection/bitlocker/images/rp-example1.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 118 KiB

After

Width:  |  Height:  |  Size: 118 KiB

0
windows/security/information-protection/bitlocker/images/rp-example2.PNG → windows/security/information-protection/bitlocker/images/rp-example2.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 82 KiB

0
windows/security/information-protection/bitlocker/images/rp-example3.PNG → windows/security/information-protection/bitlocker/images/rp-example3.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 96 KiB

After

Width:  |  Height:  |  Size: 96 KiB

0
windows/security/information-protection/bitlocker/images/rp-example4.PNG → windows/security/information-protection/bitlocker/images/rp-example4.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 82 KiB

0
windows/security/information-protection/bitlocker/images/rp-example5.PNG → windows/security/information-protection/bitlocker/images/rp-example5.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 91 KiB

After

Width:  |  Height:  |  Size: 91 KiB

32
windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.date: 12/16/2020
ms.reviewer:
manager: dansimp
---
@ -27,21 +27,19 @@ manager: dansimp
You can manage and configure Microsoft Defender Antivirus with the following tools:
- Microsoft Intune (now part of Microsoft Endpoint Manager)
- Microsoft Endpoint Configuration Manager (now part of Microsoft Endpoint Manager)
- Group Policy
- PowerShell cmdlets
- Windows Management Instrumentation (WMI)
- The Microsoft Malware Protection Command Line Utility (referred to as the *mpcmdrun.exe* utility
- [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-antivirus-policy) (now part of Microsoft Endpoint Manager)
- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) (now part of Microsoft Endpoint Manager)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus)
- [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus)
- [Windows Management Instrumentation (WMI)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus)
- The [Microsoft Malware Protection Command Line Utility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) (referred to as the *mpcmdrun.exe* utility
The articles in this section provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus.
The following articles provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus.
## In this section
Article | Description
---|---
[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus
[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates
[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters
[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties)
[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus
| Article | Description |
|:---|:---|
|[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus |
|[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates |
|[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters |
|[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) |
|[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus |

17
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
View File

@ -11,16 +11,15 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
ms.reviewer: pahuijbr
manager: dansimp
ms.date: 12/11/2020
ms.date: 12/17/2020
---
# Microsoft Defender Antivirus compatibility
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
@ -48,13 +47,13 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh
| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | Yes | Active mode |
| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | No | Active mode |
(<a id="fn1">1</a>) On Windows Server 2016 or 2019, Microsoft Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Microsoft Defender Antivirus on Windows Server 2016 or 2019](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-microsoft-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine.
(<a id="fn1">1</a>) On Windows Server 2016 or 2019, Microsoft Defender Antivirus does not enter passive or disabled mode automatically when you install non-Microsoft antivirus product. In those cases, [disable Microsoft Defender Antivirus, or set it to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-microsoft-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a server.
If you are using Windows Server, version 1803 or Windows Server 2019, you can enable passive mode by setting this registry key:
If you are using Windows Server, version 1803 or Windows Server 2019, you set Microsoft Defender Antivirus to passive mode by setting this registry key:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
- Name: ForceDefenderPassiveMode
- Type: REG_DWORD
- Value: 1
- Name: `ForceDefenderPassiveMode`
- Type: `REG_DWORD`
- Value: `1`
See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations.
@ -78,7 +77,7 @@ The following table summarizes the functionality and features that are available
- In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not used as the primary antivirus solution, it can still detect and remediate malicious items.
- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items.
- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
## Keep the following points in mind

11
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 11/12/2020
ms.date: 12/16/2020
ms.reviewer:
manager: dansimp
ms.custom: nextgen
@ -20,12 +20,9 @@ ms.custom: nextgen
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- Windows 10
- Windows Server 2016
- Windows Server 2019
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
## Microsoft Defender Antivirus: Your next-generation protection
@ -56,8 +53,8 @@ For information on how to configure next-generation protection services, see [Co
> [!Note]
> Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Microsoft Defender Antivirus; however, there are some differences. To learn more, see [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md).
## Related articles
## See also
- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md)
- [Microsoft Defender Antivirus management and configuration](configuration-management-reference-microsoft-defender-antivirus.md)
- [Evaluate Microsoft Defender Antivirus protection](evaluate-microsoft-defender-antivirus.md)

59
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
View File

@ -10,24 +10,22 @@ ms.sitesec: library
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 02/25/2020
ms.reviewer:
ms.date: 12/17/2020
ms.reviewer: pahuijbr
manager: dansimp
---
# Microsoft Defender Antivirus on Windows Server 2016 and 2019
# Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- Windows Server 2016
- Windows Server 2019
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Microsoft Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Microsoft Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same.
Microsoft Defender Antivirus is available on Windows Server 2016 and 2019. In some instances, Microsoft Defender Antivirus is referred to as *Endpoint Protection*; however, the protection engine is the same.
While the functionality, configuration, and management are largely the same for Microsoft Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019:
While the functionality, configuration, and management are largely the same for [Microsoft Defender Antivirus on Windows 10](microsoft-defender-antivirus-in-windows-10.md), there are a few key differences on Windows Server 2016 and 2019:
- In Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role.
- In Windows Server, Microsoft Defender Antivirus does not automatically disable itself if you are running another antivirus product.
@ -52,7 +50,7 @@ The process of setting up and running Microsoft Defender Antivirus on a server p
## Enable the user interface on Windows Server 2016 or 2019
By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or PowerShell.
By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2016 and 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or by using PowerShell.
### Turn on the GUI using the Add Roles and Features Wizard
@ -121,14 +119,14 @@ The `sc query` command returns information about the Microsoft Defender Antiviru
In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage.
By default, Windows Update does not download and install updates automatically on Windows Server 2016 or 2019. You can change this configuration by using one of the following methods:
By default, Windows Update does not download and install updates automatically on Windows Server 2019 or Windows Server 2016. You can change this configuration by using one of the following methods:
|Method |Description |
|---------|---------|
|**Windows Update** in Control Panel |- **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates. <br/>- **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
|**Group Policy** | You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates** |
|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates: <br/>- **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates. <br/>- **3** Download updates but let me choose whether to install them. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates: <br/>- **4** - **Install updates automatically**. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates. <br/>- **3** - **Download updates but let me choose whether to install them**. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
To ensure that protection from malware is maintained, we recommend that you enable the following services:
@ -162,10 +160,10 @@ To enable automatic sample submission, start a Windows PowerShell console as an
|Setting |Description |
|---------|---------|
|**0** Always prompt |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. |
|**1** Send safe samples automatically |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. |
|**2** Never send |The Microsoft Defender Antivirus service does not prompt and does not send any files. |
|**3** Send all samples automatically |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. |
|**0** - **Always prompt** |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. |
|**1** - **Send safe samples automatically** |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. |
|**2** - **Never send** |The Microsoft Defender Antivirus service does not prompt and does not send any files. |
|**3** - **Send all samples automatically** |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. |
## Configure automatic exclusions
@ -175,36 +173,38 @@ See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](con
## Need to uninstall Microsoft Defender Antivirus?
If you are using a third-party antivirus solution and you're running into issues with that solution and Microsoft Defender Antivirus, you can consider uninstalling Microsoft Defender Antivirus. Before you do that, review the following resources:
If you are using a non-Microsoft antivirus product as your primary antivirus solution, you can either disable Microsoft Defender Antivirus, or set it to passive mode, as described in the following procedures.
- See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products).
### Set Microsoft Defender Antivirus to passive mode
- See [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Microsoft Defender Antivirus together with Defender for Endpoint.
If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
- Name: `ForceDefenderPassiveMode`
- Type: `REG_DWORD`
- Value: `1`
If you determine you do want to uninstall Microsoft Defender Antivirus, follow the steps in the following sections.
### Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard
### Uninstall Microsoft Defender Antivirus using the Remove Roles and Features wizard
1. See [Install or Uninstall Roles, Role Services, or Features](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**.
1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**.
2. When you get to the **Features** step of the wizard, clear the **Windows Defender Features** option.
2. When you get to the **Features** step of the wizard, unselect the **Windows Defender Features** option.
If you clear **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**.
If you unselect **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**.
Microsoft Defender Antivirus will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature.
Microsoft Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature.
### Uninstall Microsoft Defender Antivirus using PowerShell
### Disable Microsoft Defender Antivirus using PowerShell
>[!NOTE]
>You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
The following PowerShell cmdlet will also uninstall Microsoft Defender AV on Windows Server 2016 or 2019:
The following PowerShell cmdlet uninstalls Microsoft Defender Antivirus on Windows Server 2016 or 2019:
```PowerShell
Uninstall-WindowsFeature -Name Windows-Defender
```
### Turn off the GUI using PowerShell
### Turn off the Microsoft Defender Antivirus user interface using PowerShell
To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell cmdlet:
@ -212,8 +212,7 @@ To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell c
Uninstall-WindowsFeature -Name Windows-Defender-GUI
```
## Related topics
## See also
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

9
windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 12/10/2020
ms.date: 12/17/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -22,15 +22,16 @@ Microsoft Defender Application Guard (Application Guard) is designed to help pre
## What is Application Guard and how does it work?
Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.
For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container.
For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
![Hardware isolation diagram](images/appguard-hardware-isolation.png)
### What types of devices should use Application Guard?
Application Guard has been created to target several types of systems:
Application Guard has been created to target several types of devices:
- **Enterprise desktops**. These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.

20
windows/security/threat-protection/microsoft-defender-atp/android-intune.md
View File

@ -29,7 +29,7 @@ ms.topic: conceptual
- [Defender for Endpoint](microsoft-defender-atp-android.md)
This topic describes deploying Defender for Endpoint for Android on Intune
Learn how to deploy Defender for Endpoint for Android on Intune
Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll your
device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal).
@ -44,13 +44,13 @@ device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-co
**Deploy Defender for Endpoint for Android on Intune Company Portal - Device
Administrator enrolled devices**
This topic describes how to deploy Defender for Endpoint for Android on Intune Company Portal - Device Administrator enrolled devices.
Learn how to deploy Defender for Endpoint for Android on Intune Company Portal - Device Administrator enrolled devices.
### Add as Android store app
1. In [Microsoft Endpoint Manager admin
center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
**Android Apps** \> **Add \> Android store app** and click **Select**.
**Android Apps** \> **Add \> Android store app** and choose **Select**.
![Image of Microsoft Endpoint Manager Admin Center](images/mda-addandroidstoreapp.png)
@ -66,7 +66,7 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
![Image of Microsoft Endpoint Manager Admin Center](images/mda-addappinfo.png)
3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint for Android app. Click **Select** and then **Next**.
3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint for Android app. Choose **Select** and then **Next**.
>[!NOTE]
>The selected user group should consist of Intune enrolled users.
@ -111,7 +111,7 @@ Defender for Endpoint for Android supports Android Enterprise enrolled devices.
For more information on the enrollment options supported by Intune, see
[Enrollment Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll).
**Currently, Personally-owned devices with work profile and Corporate-owned fully managed user device enrollments are supported for deployment.**
**Currently, Personally owned devices with work profile and Corporate-owned fully managed user device enrollments are supported for deployment.**
@ -141,7 +141,7 @@ select **Approve**.
> ![A screenshot of a Managed Google Play](images/07e6d4119f265037e3b80a20a73b856f.png)
4. You should now be presented with the permissions that Defender for Endpoint
4. You'll be presented with the permissions that Defender for Endpoint
obtains for it to work. Review them and then select **Approve**.
![A screenshot of Defender for Endpoint preview app approval](images/206b3d954f06cc58b3466fb7a0bd9f74.png)
@ -218,7 +218,7 @@ Defender ATP should be visible in the apps list.
1. In the **Review + Create** page that comes up next, review all the information and then select **Create**. <br>
The app configuration policy for Defender for Endpoint auto-granting the storage permission is now assigned to the selected user group.
The app configuration policy for Defender for Endpoint autogranting the storage permission is now assigned to the selected user group.
> [!div class="mx-imgBorder"]
> ![Image of create app configuration policy](images/android-review-create.png)
@ -245,10 +245,10 @@ assignment.
### Auto Setup of Always-on VPN
Defender for Endpoint supports Device configuration policies for managed devices via Intune. This capability can be leveraged to **Auto setup of Always-on VPN** on Android Enterprise enrolled devices, so the end user does not need to set up VPN service while onboarding.
1. On **Devices** Page go to **Configuration Profiles** > **Create Profile** > **Platform** > **Android Enterprise**
1. On **Devices**, select **Configuration Profiles** > **Create Profile** > **Platform** > **Android Enterprise**
Select **Device restrictions** under one of the following, based on your device enrollment type
- **Fully Managed, Dedicated, and Corporate-Owned Work Profile**
- **Personally-Owned Work Profile**
- **Personally owned Work Profile**
Select **Create**.
@ -292,7 +292,7 @@ displayed here.
> ![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png)
2. On the device, you can validate the onboarding status by going to the **work profile**. Confirm that Defender for Endpoint is available and that you are enrolled to the **Personally-owned devices with work profile**. If you are enrolled to a **Corporate-owned, fully managed user device**, you will have a single profile on the device where you can confirm that Defender for Endpoint is available.
2. On the device, you can validate the onboarding status by going to the **work profile**. Confirm that Defender for Endpoint is available and that you are enrolled to the **Personally owned devices with work profile**. If you are enrolled to a **Corporate-owned, fully managed user device**, you will have a single profile on the device where you can confirm that Defender for Endpoint is available.
![Image of app in mobile device](images/c2e647fc8fa31c4f2349c76f2497bc0e.png)

44
windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md Normal file
View File

@ -0,0 +1,44 @@
---
title: Contact Microsoft Defender for Endpoint support for US Government customers
description: Learn how to contact Microsoft Defender for Endpoint support for US Government customers
keywords: support, contact, premier support, solutions, problems, case, government, gcc, gcc-m, gcc-h, defender, endpoint, mdatp, mde
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ROBOTS: noindex,nofollow
---
# Contact Microsoft Defender for Endpoint support for US Government customers
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Defender for Endpoint has recently upgraded the support process to offer a more modern and advanced support experience.
## Using the right portal
In order to open a support case, you will need to login to your Microsoft Defender for Endpoint portal:
Environment | Portal URL
:---|:---
GCC-M on Commercial | [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com)
GCC-M | [https://gcc.securitycenter.microsoft.us](https://gcc.securitycenter.microsoft.us)
GCC-H | [https://securitycenter.microsoft.us](https://securitycenter.microsoft.us)
DoD | [https://securitycenter.microsoft.us](https://securitycenter.microsoft.us)
If you are unable to login to the portal, you can also open a support case using the [phone](https://docs.microsoft.com/microsoft-365/admin/contact-support-for-business-products?view=o365-worldwide&tabs=phone&preserve-view=true).
## Opening a support case
For prerequisites and instructions, see [Contact Microsoft Defender for Endpoint support](contact-support.md).

3
windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
View File

@ -34,9 +34,10 @@ This guide helps you work across stakeholders to prepare your environment and th
Each section corresponds to a separate article in this solution.
![Image of deployment phases](images/deployment-guide-phases.png)
![Image of deployment phases with details from table](images/deployment-guide-phases.png)
![Summary of deployment phases: prepare, setup, onboard](images/phase-diagrams/deployment-phases.png)
|Phase | Description |
|:-------|:-----|

BIN
windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx
View File

Binary file not shown.

5
windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
View File

@ -21,7 +21,10 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender for Endpoint(https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>[!NOTE]
>If you are a US Gov customer, please refer to API endpoints listed in [here](gov.md#api).
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)

6
windows/security/threat-protection/microsoft-defender-atp/gov.md
View File

@ -40,7 +40,7 @@ The following OS versions are supported:
- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/help/4490481))
>[!NOTE]
A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment.
>A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment.
The following OS versions are supported via Azure Security Center:
- Windows Server 2008 R2 SP1
@ -108,4 +108,8 @@ Common URLs for all locations (Global location) | ```crl.microsoft.com```<br>```
Defender for Endpoint GCC High specific | ```us4-v20.events.data.microsoft.com``` <br>```winatp-gw-usgt.microsoft.com```<br>```winatp-gw-usgv.microsoft.com```<br>```*.blob.core.usgovcloudapi.net```
## API
Login endpoint: ```https://login.microsoftonline.us```
Microsoft Defender for Endpoint API endpoint: ```https://api-gov.securitycenter.microsoft.us```

BIN
windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/deployment-phases.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.6 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/migration-phases.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.6 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/onboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.9 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/prepare.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/phase-diagrams/setup.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.5 KiB

6
windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
View File

@ -2,7 +2,7 @@
title: Create indicators based on certificates
ms.reviewer:
description: Create indicators based on certificates that define the detection, prevention, and exclusion of entities.
keywords: ioc, certificate, certificates, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
keywords: ioc, certificate, certificates, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -39,11 +39,11 @@ You can create indicators for certificates. Some common use cases include:
It's important to understand the following requirements prior to creating indicators for certificates:
- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
- Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019.
- The virus and threat protection definitions must be up to date.
- This feature currently supports entering .CER or .PEM (Base64 ASCII) encoding based certificates.
- This feature currently supports entering .CER or .PEM file extensions.
>[!IMPORTANT]
> - A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities').

66
windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
View File

@ -20,7 +20,7 @@ ms.topic: article
ms.date: 04/24/2018
---
# Investigate Microsoft Defender Advanced Threat Protection alerts
# Investigate alerts in Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@ -35,70 +35,40 @@ ms.date: 04/24/2018
Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
Click an alert to see the alert details view and the various tiles that provide information about the alert.
Select an alert from the alerts queue to go to alert page. This view contains the alert title, the affected assets, the details side pane, and the alert story.
From the alert details view, you can manage an alert and see alert data such as severity, category, technique, along with other information that can help you make better decisions on how to approach them.
From the alert page, begin your investigation by selecting the affected assets or any of the entities under the alert story tree view. The details pane automatically populates with further information about what you selected. To see what kind of information you can view here, read [Review alerts in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).
The techniques reflected in the card are based on [MITRE enterprise techniques](https://attack.mitre.org/techniques/enterprise/).
## Investigate using the alert story
You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see [Automated investigations](automated-investigations.md).
The alert story details why the alert was triggered, related events that happened before and after, as well as other related entities.
![Image of the alert page](images/atp-alert-view.png)
Entities are clickable and every entity that isn't an alert is expandable using the expand icon on the right side of that entity's card. The entity in focus will be indicated by a blue stripe to the left side of that entity's card, with the alert in the title being in focus at first.
The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the device or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand.
For more information about managing alerts, see [Manage alerts](manage-alerts.md).
The alert details page also shows the alert process tree, an incident graph, and an artifact timeline.
You can click on the device link from the alert view to navigate to the device. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Device timeline**. If the alert appeared more than once on the device, the latest occurrence will be displayed in the **Device timeline**.
Alerts attributed to an adversary or actor display a colored tile with the actor's name.
![A detailed view of an alert when clicked](images/atp-actor-alert.png)
Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs), and areas where they've been observed worldwide. You will also see a set of recommended actions to take.
Some actor profiles include a link to download a more comprehensive threat intelligence report.
![Image of detailed actor profile](images/atp-detailed-actor.png)
The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading.
## Alert process tree
The **Alert process tree** takes alert triage and investigation to the next level, displaying the aggregated alert and surrounding evidence that occurred within the same execution context and time period. This rich triage and investigation context is available on the alert page.
![Image of the alert process tree](images/atp-alert-process-tree.png)
The **Alert process tree** expands to display the execution path of the alert and related evidence that occurred around the same period. Items marked with a thunderbolt icon should be given priority during investigation.
Expand entities to view details at a glance. Selecting an entity will switch the context of the details pane to this entity, and will allow you to review further information, as well as manage that entity. Selecting *...* to the right of the entity card will reveal all actions available for that entity. These same actions appear in the details pane when that entity is in focus.
> [!NOTE]
>The alert process tree might not show for some alerts, including alerts not triggered directly by process activity.
> The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you've selected.
Clicking in the circle immediately to the left of the indicator displays its details.
![An example of an alert story with an alert in focus and some expanded cards](images/alert-story-tree.png)
![Image of the alert details pane](images/atp-alert-mgt-pane.png)
## Take action from the details pane
The alert details pane helps you take a deeper look at the details about the alert. It displays rich information about the execution details, file details, detections, observed worldwide, observed in organization, and other details taken from the entity's page while remaining on the alert page, so you never leave the current context of your investigation.
Once you've selected an entity of interest, the details pane will change to display information about the selected entity type, historic information when it's available, and offer controls to **take action** on this entity directly from the alert page.
Once you're done investigating, go back to the alert you started with, mark the alert's status as **Resolved** and classify it as either **False alert** or **True alert**. Classifying alerts helps tune this capability to provide more true alerts and less false alerts.
## Incident graph
The **Incident Graph** provides a visual representation of the organizational footprint of the alert and its evidence: where the evidence that triggered the alert was observed on other devices. It provides a graphical mapping from the original device and evidence expanding to show other devices in the organization where the triggering evidence was also observed.
If you classify it as a true alert, you can also select a determination, as shown in the image below.
![Image of the Incident graph](images/atp-incident-graph.png)
![A snippet of the details pane with a resolved alert and the determination drop-down expanded](images/alert-details-resolved-true.png)
The **Incident Graph** supports expansion by File, Process, command line, or Destination IP Address, as appropriate.
If you are experiencing a false alert with a line-of-business application, create a suppression rule to avoid this type of alert in the future.
The **Incident Graph** expansion by destination IP Address, shows the organizational footprint of communications with this IP Address without having to change context by navigating to the IP Address page.
![actions and classification in the details pane with the suppression rule highlighted](images/alert-false-suppression-rule.png)
You can click the full circles on the incident graph to expand the nodes and view the expansion to other devices where the matching criteria were observed.
> [!TIP]
> If you're experiencing any issues not described above, use the 🙂 button to provide feedback or open a support ticket.
## Artifact timeline
The **Artifact timeline** feature provides an additional view of the evidence that triggered the alert on the device, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the device. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the device earlier - without triggering an alert.
![Image of artifact timeline](images/atp-alert-timeline.png)
Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization.
## Related topics
- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md)

2
windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
View File

@ -132,8 +132,6 @@ More details about certain events are provided in the **Additional information**
- Suspicious script detected - a potentially malicious script was found running
- The alert category - if the event led to the generation of an alert, the alert category ("Lateral Movement", for example) is provided
You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific device.
#### Event details
Select an event to view relevant details about that event. A panel displays to show general event information. When applicable and data is available, a graph showing related entities and their relationships are also shown.

1
windows/security/threat-protection/microsoft-defender-atp/live-response.md
View File

@ -293,6 +293,7 @@ Each command is tracked with full details such as:
- Live response sessions are limited to 10 live response sessions at a time.
- Large-scale command execution is not supported.
- Live response session inactive timeout value is 5 minutes.
- A user can only initiate one session at a time.
- A device can only be in one session at a time.
- The following file size limits apply:

2
windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
View File

@ -90,7 +90,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
|Group |Scenario |Command |
|-------------|-------------------------------------------|----------------------------------------------------------------------------------|
|Configuration|Turn on/off real-time protection |`mdatp config real-time-protection [enabled/disabled]` |
|Configuration|Turn on/off real-time protection |`mdatp config real-time-protection --value [enabled/disabled]` |
|Configuration|Turn on/off cloud protection |`mdatp config cloud --value [enabled/disabled]` |
|Configuration|Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled/disabled]` |
|Configuration|Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission --value [enabled/disabled]` |

9
windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
View File

@ -35,11 +35,14 @@ If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microso
When you switch from McAfee to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
![Migration phases - prepare setup onboard](images/phase-diagrams/migration-phases.png)
|Phase |Description |
|--|--|
|[![Phase 1: Prepare](images/prepare.png)](mcafee-to-microsoft-defender-prepare.md)<br/>[Prepare for your migration](mcafee-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](mcafee-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
|[![Phase 2: Set up](images/setup.png)](mcafee-to-microsoft-defender-setup.md)<br/>[Set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md) |During [the **Setup** phase](mcafee-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and McAfee. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
|[![Phase 3: Onboard](images/onboard.png)](mcafee-to-microsoft-defender-onboard.md)<br/>[Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](mcafee-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall McAfee and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. |
|[Prepare for your migration](mcafee-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](mcafee-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
|[Set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md) |During [the **Setup** phase](mcafee-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and McAfee. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
|[Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](mcafee-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall McAfee and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. |
## What's included in Microsoft Defender for Endpoint?

4
windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md
View File

@ -28,12 +28,10 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|[![Phase 1: Prepare](images/prepare.png)](mcafee-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |[![Phase 2: Set up](images/setup.png)](mcafee-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |![Phase 3: Onboard](images/onboard.png)<br/>Phase 3: Onboard |
|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](mcafee-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |[![Phase 2: Set up](images/phase-diagrams/setup.png)](mcafee-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |![Phase 3: Onboard](images/phase-diagrams/onboard.png)<br/>Phase 3: Onboard |
|--|--|--|
|| |*You are here!* |
**Welcome to Phase 3 of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:
1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).

2
windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md
View File

@ -29,7 +29,7 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|![Phase 1: Prepare](images/prepare.png)<br/>Phase 1: Prepare |[![Phase 2: Set up](images/setup.png)](mcafee-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |[![Phase 3: Onboard](images/onboard.png)](mcafee-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
|![Phase 1: Prepare](images/phase-diagrams/prepare.png)<br/>Phase 1: Prepare |[![Phase 2: Set up](images/phase-diagrams/setup.png)](mcafee-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](mcafee-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
|--|--|--|
|*You are here!*| | |

2
windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
View File

@ -29,7 +29,7 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|[![Phase 1: Prepare](images/prepare.png)](mcafee-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |![Phase 2: Set up](images/setup.png)<br/>Phase 2: Set up |[![Phase 3: Onboard](images/onboard.png)](mcafee-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](mcafee-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |![Phase 2: Set up](images/phase-diagrams/setup.png)<br/>Phase 2: Set up |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](mcafee-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
|--|--|--|
||*You are here!* | |

25
windows/security/threat-protection/microsoft-defender-atp/onboarding.md
View File

@ -29,28 +29,9 @@ ms.topic: article
Deploying Defender for Endpoint is a three-phase process:
<br>
<table border="0" width="100%" align="center">
<tr style="text-align:center;">
<td align="center" style="width:25%; border:0;" >
<a href= "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment">
<img src="images/prepare.png" alt="Prepare to deploy Defender for Endpoint" title="Prepare" />
<br/>Phase 1: Prepare </a><br>
</td>
<td align="center">
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment">
<img src="images/setup.png" alt="Setup the Defender for Endpoint service" title="Setup" />
<br/>Phase 2: Set up </a><br>
</td>
<td align="center" bgcolor="#d5f5e3">
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboarding">
<img src="images/onboard.png" alt="Onboard diagram" title="Onboard to the Defender for Endpoint service" />
<br/>Phase 3: Onboard </a><br>
</td>
</tr>
</table>
| [![deployment phase - prepare](images/phase-diagrams/prepare.png)](prepare-deployment.md)<br>[Phase 1: Prepare](prepare-deployment.md) | [![deployment phase - setup](images/phase-diagrams/setup.png)](production-deployment.md)<br>[Phase 2: Setup](production-deployment.md) | ![deployment phase - onboard](images/phase-diagrams/onboard.png)<br>Phase 3: Onboard |
| ----- | ----- | ----- |
| | |*You are here!*|
You are currently in the onboarding phase.

33
windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
View File

@ -33,37 +33,10 @@ ms.topic: article
Deploying Defender for Endpoint is a three-phase process:
<br>
<table border="0" width="100%" align="center">
<tr style="text-align:center;">
<td align="center" style="width:25%; border:0;" bgcolor="#d5f5e3">
<a href= "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment">
<img src="images/prepare.png" alt="Plan to deploy Microsoft Defender for Endpoint" title="Plan" />
<br/>Phase 1: Prepare </a><br>
</td>
<td align="center" >
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment">
<img src="images/setup.png" alt="Onboard to the Defender for Endpoint service" title="Setup the Defender for Endpoint service" />
<br/>Phase 2: Set up </a><br>
</td>
<td align="center">
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboarding">
<img src="images/onboard.png" alt="Configure capabilities" title="Configure capabilities" />
<br/>Phase 3: Onboard</a><br>
</td>
</tr>
<tr>
<td style="width:25%; border:0;">
| ![deployment phase - prepare](images/phase-diagrams/prepare.png)<br>Phase 1: Prepare | [![deployment phase - setup](images/phase-diagrams/setup.png)](production-deployment.md)<br>[Phase 2: Setup](production-deployment.md) | [![deployment phase - onboard](images/phase-diagrams/onboard.png)](onboarding.md)<br>[Phase 3: Onboard](onboarding.md) |
| ----- | ----- | ----- |
|*You are here!* | ||
</td>
<td valign="top" style="width:25%; border:0;">
</td>
<td valign="top" style="width:25%; border:0;">
</td>
</tr>
</table>
You are currently in the preparation phase.

25
windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
View File

@ -31,28 +31,9 @@ ms.topic: article
Deploying Defender for Endpoint is a three-phase process:
<br>
<table border="0" width="100%" align="center">
<tr style="text-align:center;">
<td align="center" style="width:25%; border:0;" >
<a href= "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment">
<img src="images/prepare.png" alt="Prepare to deploy Microsoft Defender for Endpoint" title="Prepare" />
<br/>Phase 1: Prepare </a><br>
</td>
<td align="center"bgcolor="#d5f5e3">
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment">
<img src="images/setup.png" alt="Onboard to the Microsoft Defender for Endpoint service" title="Setup" />
<br/>Phase 2: Set up </a><br>
</td>
<td align="center">
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboarding">
<img src="images/onboard.png" alt="Onboard image" title="Onboard" />
<br/>Phase 3: Onboard </a><br>
</td>
</tr>
</table>
| [![deployment phase - prepare](images/phase-diagrams/prepare.png)](prepare-deployment.md)<br>[Phase 1: Prepare](prepare-deployment.md) | ![deployment phase - setup](images/phase-diagrams/setup.png)<br>Phase 2: Setup | [![deployment phase - onboard](images/phase-diagrams/onboard.png)](onboarding.md)<br>[Phase 3: Onboard](onboarding.md) |
| ----- | ----- | ----- |
| | *You are here!*||
You are currently in the set-up phase.

43
windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
View File

@ -33,21 +33,21 @@ The alert page in Microsoft Defender for Endpoint provides full context to the a
Quickly triage, investigate, and take effective action on alerts that affect your organization. Understand why they were triggered, and their impact from one location. Learn more in this overview.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4yiO5]
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4yiO5]
## Getting started with an alert
Clicking on an alert's name in Defender for Endpoint will land you on its alert page. On the alert page, all the information will be shown in context of the selected alert. Each alert page consists of 4 sections:
Selecting an alert's name in Defender for Endpoint will land you on its alert page. On the alert page, all the information will be shown in context of the selected alert. Each alert page consists of 4 sections:
1. **The alert title** shows the alert's name and is there to remind you which alert started your current investigation regardless of what you have selected on the page.
2. [**Affected assets**](#review-affected-assets) lists cards of devices and users affected by this alert that are clickable for further information and actions.
3. [**The alert story**](#investigate-using-the-alert-story) displays all entities related to the alert, interconnected by a tree view. The alert in the title will be the one in focus when you first land on your selected alert's page. Entities in the alert story are expandable and clickable, to provide additional information and expedite response by allowing you to take actions right in the context of the alert page.
4. [**The details pane**](#take-action-from-the-details-pane) will show the details of the selected alert at first, with details and actions related to this alert. If you click on any of the affected assets or entities in the alert story, the details pane will change to provide contextual information and actions for the selected object.
3. The **alert story** displays all entities related to the alert, interconnected by a tree view. The alert in the title will be the one in focus when you first land on your selected alert's page. Entities in the alert story are expandable and clickable, to provide additional information and expedite response by allowing you to take actions right in the context of the alert page. Use the alert story to start your investigation. Learn how in [Investigate alerts in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts).
4. The **details pane** will show the details of the selected alert at first, with details and actions related to this alert. If you select any of the affected assets or entities in the alert story, the details pane will change to provide contextual information and actions for the selected object.
![An alert page when you first land on it](images/alert-landing-view.png)
Note the detection status for your alert. Blocked, or prevented means actions were already taken by Defender for Endpoint.
Start by reviewing the *automated investigation details* in your alert's [details pane](#take-action-from-the-details-pane), to see which actions were already taken, as well as reading the alert's description for recommended actions.
Start by reviewing the *automated investigation details* in your alert's details pane, to see which actions were already taken, as well as reading the alert's description for recommended actions.
![A snippet of the details pane with the alert description and automatic investigation sections highlighted](images/alert-air-and-alert-description.png)
@ -55,42 +55,13 @@ Other information available in the details pane when the alert opens includes MI
## Review affected assets
Clicking on a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane.
Selecting a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane.
- **For devices** the details pane will display information about the device itself, like Domain, Operating System, and IP. Active alerts and the logged on users on that device are also available. You can take immediate action by isolating the device, restricting app execution, or running an antivirus scan. Alternatively, you could collect an investigation package, initiate an automated investigation, or go to the device page to investigate from the device's point of view.
- **For users** the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can click *Open user page* to continue the investigation from that user's point of view.
- **For users** the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can select *Open user page* to continue the investigation from that user's point of view.
![A snippet of the details pane when a device is selected](images/alert-device-details.png)
## Investigate using the alert story
The alert story details why the alert was triggered, related events that happened before and after, as well as other related entities.
Entities are clickable and every entity that isn't an alert is expandable using the expand icon on the right side of that entity's card. The entity in focus will be indicated by a blue stripe to the left side of that entity's card, with the alert in the title being in focus at first.
Expand entities to view details at-a-glance about them. Clicking on an entity will switch the context of the details pane to this entity, and will allow you to review further information, as well as manage that entity. Clicking on *...* to the right of the entity card will reveal all actions available for that entity. These same actions appear in the details pane when that entity is in focus.
> [!NOTE]
> The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you've selected.
![An example of an alert story with an alert in focus and some expanded cards](images/alert-story-tree.png)
## Take action from the details pane
Once you've selected an entity of interest, the details pane will change to display information about the selected entity type, historic information, when its available, and offer controls to **take action** on this entity directly from the alert page.
Once you're done investigating, go back to the alert you started with, mark the alert's status as **Resolved** and classify it as either **False alert** or **True alert**. Classifying alerts helps tune this capability to provide more true alerts and less false alerts.
If you classify it as a true alert, you can also select a determination, as shown in the image below.
![A snippet of the details pane with a resolved alert and the determination drop-down expanded](images/alert-details-resolved-true.png)
If you are experiencing a false alert with a line-of-business application, create a suppression rule to avoid this type of alert in the future.
![actions and classification in the details pane with the suppression rule highlighted](images/alert-false-suppression-rule.png)
> [!TIP]
> If you're experiencing any issues not described above, use the 🙂 button to provide feedback or open a support ticket.
## Related topics

8
windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md
View File

@ -35,11 +35,13 @@ If you are planning to switch from a non-Microsoft endpoint protection solution
When you switch to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
![Migration phases - prepare, setup, onboard](images/phase-diagrams/migration-phases.png)
|Phase |Description |
|--|--|
|[![Phase 1: Prepare](images/prepare.png)](switch-to-microsoft-defender-prepare.md)<br/>[Prepare for your migration](switch-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
|[![Phase 2: Set up](images/setup.png)](switch-to-microsoft-defender-setup.md)<br/>[Set up Microsoft Defender for Endpoint](switch-to-microsoft-defender-setup.md) |During [the **Setup** phase](switch-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and your existing endpoint protection solution. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
|[![Phase 3: Onboard](images/onboard.png)](switch-to-microsoft-defender-onboard.md)<br/>[Onboard to Microsoft Defender for Endpoint](switch-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](switch-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall your existing endpoint protection solution and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. |
|[Prepare for your migration](switch-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
|[Set up Microsoft Defender for Endpoint](switch-to-microsoft-defender-setup.md) |During [the **Setup** phase](switch-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and your existing endpoint protection solution. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
|[Onboard to Microsoft Defender for Endpoint](switch-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](switch-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall your existing endpoint protection solution and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. |
## What's included in Microsoft Defender for Endpoint?

2
windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md
View File

@ -25,7 +25,7 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
# Switch to Microsoft Defender for Endpoint - Phase 3: Onboard
|[![Phase 1: Prepare](images/prepare.png)](switch-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |[![Phase 2: Set up](images/setup.png)](switch-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](switch-to-microsoft-defender-setup.md) |![Phase 3: Onboard](images/onboard.png)<br/>Phase 3: Onboard |
|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](switch-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |[![Phase 2: Set up](images/phase-diagrams/setup.png)](switch-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](switch-to-microsoft-defender-setup.md) |![Phase 3: Onboard](images/phase-diagrams/onboard.png)<br/>Phase 3: Onboard |
|--|--|--|
|| |*You are here!* |

2
windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md
View File

@ -25,7 +25,7 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
# Switch to Microsoft Defender for Endpoint - Phase 1: Prepare
|![Phase 1: Prepare](images/prepare.png)<br/>Phase 1: Prepare |[![Phase 2: Set up](images/setup.png)](switch-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](switch-to-microsoft-defender-setup.md) |[![Phase 3: Onboard](images/onboard.png)](switch-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
|![Phase 1: Prepare](images/phase-diagrams/prepare.png)<br/>Phase 1: Prepare |[![Phase 2: Set up](images/phase-diagrams/setup.png)](switch-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](switch-to-microsoft-defender-setup.md) |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](switch-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
|--|--|--|
|*You are here!*| | |

3
windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
View File

@ -25,7 +25,7 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
# Switch to Microsoft Defender for Endpoint - Phase 2: Setup
|[![Phase 1: Prepare](images/prepare.png)](switch-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |![Phase 2: Set up](images/setup.png)<br/>Phase 2: Set up |[![Phase 3: Onboard](images/onboard.png)](switch-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](switch-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |![Phase 2: Set up](images/phase-diagrams/setup.png)<br/>Phase 2: Set up |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](switch-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
|--|--|--|
||*You are here!* | |
@ -231,6 +231,7 @@ To use CMPivot to get your file hash, follow these steps:
File(c:\\windows\\notepad.exe)
| project Hash
```
> [!NOTE]
> In the query above, replace *notepad.exe* with the your third-party security product process name.

8
windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
View File

@ -35,11 +35,13 @@ If you are planning to switch from Symantec Endpoint Protection (Symantec) to [M
When you switch from Symantec to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
![Migration phases - prepare, setup, onboard](images/phase-diagrams/migration-phases.png)
|Phase |Description |
|--|--|
|[![Phase 1: Prepare](images/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)<br/>[Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md) |During the **Prepare** phase, you get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
|[![Phase 2: Set up](images/setup.png)](symantec-to-microsoft-defender-atp-setup.md)<br/>[Set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md) |During the **Setup** phase, you configure settings and exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and Symantec Endpoint Protection. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
|[![Phase 3: Onboard](images/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)<br/>[Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md) |During the **Onboard** phase, you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall Symantec and make sure protection through Microsoft Defender for Endpoint is in active mode. |
|[Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md) |During the **Prepare** phase, you get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
|[Set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md) |During the **Setup** phase, you configure settings and exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and Symantec Endpoint Protection. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
|[Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md) |During the **Onboard** phase, you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall Symantec and make sure protection through Microsoft Defender for Endpoint is in active mode. |
## What's included in Microsoft Defender for Endpoint?

2
windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
View File

@ -28,7 +28,7 @@ ms.reviewer: depicker, yongrhee, chriggs
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|[![Phase 1: Prepare](images/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)<br/>[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |[![Phase 2: Set up](images/setup.png)](symantec-to-microsoft-defender-atp-setup.md)<br/>[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |![Phase 3: Onboard](images/onboard.png)<br/>Phase 3: Onboard |
|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)<br/>[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |[![Phase 2: Set up](images/phase-diagrams/setup.png)](symantec-to-microsoft-defender-atp-setup.md)<br/>[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |![Phase 3: Onboard](images/phase-diagrams/onboard.png)<br/>Phase 3: Onboard |
|--|--|--|
|| |*You are here!* |

2
windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
View File

@ -28,7 +28,7 @@ ms.reviewer: depicker, yongrhee, chriggs
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|![Phase 1: Prepare](images/prepare.png)<br/>Phase 1: Prepare |[![Phase 2: Set up](images/setup.png)](symantec-to-microsoft-defender-atp-setup.md)<br/>[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |[![Phase 3: Onboard](images/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)<br/>[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
|![Phase 1: Prepare](images/phase-diagrams/prepare.png)<br/>Phase 1: Prepare |[![Phase 2: Set up](images/phase-diagrams/setup.png)](symantec-to-microsoft-defender-atp-setup.md)<br/>[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)<br/>[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
|--|--|--|
|*You are here!*| | |

11
windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
View File

@ -28,7 +28,7 @@ ms.reviewer: depicker, yongrhee, chriggs
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|[![Phase 1: Prepare](images/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)<br/>[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |![Phase 2: Set up](images/setup.png)<br/>Phase 2: Set up |[![Phase 3: Onboard](images/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)<br/>[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)<br/>[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |![Phase 2: Set up](images/phase-diagrams/setup.png)<br/>Phase 2: Set up |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)<br/>[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
|--|--|--|
||*You are here!* | |
@ -64,9 +64,10 @@ Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll
1. As a local administrator on the endpoint or device, open Windows PowerShell.
2. Run the following PowerShell cmdlets: <br/>
2. Run the following PowerShell cmdlets:
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features` <br/>
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender` <br/>
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
> [!NOTE]
> When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
@ -174,10 +175,12 @@ To add exclusions to Microsoft Defender for Endpoint, you create [indicators](ht
3. On the **File hashes** tab, choose **Add indicator**.
3. On the **Indicator** tab, specify the following settings:
- File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
- Under **Expires on (UTC)**, choose **Never**.
4. On the **Action** tab, specify the following settings:
- **Response Action**: **Allow**
- Title and description
@ -207,9 +210,11 @@ To use CMPivot to get your file hash, follow these steps:
File(c:\\windows\\notepad.exe)
| project Hash
```
> [!NOTE]
> In the query above, replace *notepad.exe* with the your third-party security product process name.
## Set up your device groups, device collections, and organizational units
| Collection type | What to do |

4
windows/security/threat-protection/windows-firewall/TOC.md
View File

@ -165,6 +165,10 @@
## [Troubleshooting]()
### [Troubleshooting UWP app connectivity issues in Windows Firewall](troubleshooting-uwp-firewall.md)
### [Filter origin audit log improvements](filter-origin-documentation.md)
### [Quarantine behavior](quarantine.md)
### [Firewall settings lost on upgrade](firewall-settings-lost-on-upgrade.md)

171
windows/security/threat-protection/windows-firewall/filter-origin-documentation.md Normal file
View File

@ -0,0 +1,171 @@
---
title: Filter origin audit log improvements
description: Filter origin documentation audit log improvements
ms.reviewer:
ms.author: v-bshilpa
ms.prod: w10
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: normal
author: Benny-54
manager: dansimp
ms.collection:
- m365-security-compliance
- m365-initiative-windows-security
ms.topic: troubleshooting
---
# Filter origin audit log improvements
Debugging packet drops is a continuous issue to Windows customers. In the past, customers had limited information about packet drops.
Typically, when investigating packet drop events, a customer would use the field `Filter Run-Time ID` from Windows Filtering Platform (WFP) audits 5157 or 5152.
![Event properties](images/event-properties-5157.png)
The filter ID uniquely identifies the filter that caused the packet drop. The filter ID can be searched in the WFP state dump output to trace back to the Firewall rule where the filter originated from.
However, the filter ID is not a reliable source for tracing back to the filter or the rule, as the filter ID can change for many reasons despite the rule not changing at all. This makes the diagnosis process error-prone and difficult.
For customers to debug packet drop events correctly and efficiently, they would need more context about the blocking filter such as its origin.
The blocking filters can be categorized under these filter origins:
1. Firewall rules
2. Firewall default block filters
a. AppContainer loopback
b. Boottime default
c. Quarantine default
d. Query user default
e. Stealth
f. Universal Windows Platform (UWP) default
g. Windows Service Hardening (WSH) default
The next section describes the improvements made to audits 5157 and 5152, and how the above filter origins are used in these events. These improvements were added in Iron release.
## Improved firewall audit
The two new fields added to the audit 5157 and 5152 events are `Filter Origin` and `Interface Index`.
The `Filter Origin` field helps identify the cause of the drop. Packet drops from firewall are explicitly dropped by default block filters created by the Windows Firewall service or a firewall rule that may be created by users, policies, services, apps, etc.
`Filter Origin` specifies either the rule ID (a unique identifier of a Firewall rule) or the name of one of the default block filters.
The `Interface Index` field specifies the network interface in which the packet was dropped. This field helps to identify which interface was quarantined, if the `Filter Origin` is a `Quarantine Default`.
To enable a specific audit event, run the corresponding command in an administrator command prompt:
|**Audit #**|**Enable command**|**Link**|
|:-----|:-----|:-----|
|**5157**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5157(F): The Windows Filtering Platform has blocked a connection.](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157)|
|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5152)|
## Example flow of debugging packet drops with filter origin
As the audit surfaces `Filter Origin` and `Interface Index`, the network admin can determine the root cause of the network packet drop and the interface it happened on.
![Event audit](images/event-audit-5157.png)
The next sections are divided by `Filter Origin` type, the value is either a rule name or the name of one of the default block filters. If the filter origin is one of the default block filters, skip to the section, **Firewall default block filters**. Otherwise, continue to the section **Firewall rules**.
## Firewall rules
Run the following PowerShell command to generate the rule information using `Filter Origin`.
```Powershell
Get-NetFirewallRule -Name “<Filter Origin>
Get-NetFirewallRule -Name " {A549B7CF-0542-4B67-93F9-EEBCDD584377} "
```
![Firewall rule](images/firewallrule.png)
After identifying the rule that caused the drop, the network admin can now modify/disable the rule to allow the traffic they want through command prompt or using the Windows Defender UI. The network admin can find the rule in the UI with the rules `DisplayName`.
>[!NOTE]
> Firewall rules from Mobile Device Management (MDM) store cannot be searched using the Windows Defender UI. Additionally, the above method will not work when the `Filter Origin` is one of the default block filters, as they do not correspond to any firewall rules.
## Firewall default block filters
**AppContainer loopback**
Network drop events from the AppContainer loopback block filter origin occur when localhost loopback is not enabled properly for the Universal Windows Platform (UWP) app.
To enable localhost loopback in a local debugging environment, see [Communicating with localhost](https://docs.microsoft.com/windows/iot-core/develop-your-app/loopback).
To enable localhost loopback for a published app that requires loopback access to communicate with another UWP or packaged win32 app, see [uap4:LoopbackAccessRules](https://docs.microsoft.com/uwp/schemas/appxpackage/uapmanifestschema/element-uap4-loopbackaccessrules).
**Boottime default**
Network drop events from the boottime default block filter origin occur when the computer is booting up and the firewall service is not yet running. Services will need to create a boottime allow filter to allow the traffic. It should be noted that it is not possible to add boottime filters through firewall rules.
**Quarantine default**
Network drops from the quarantine default block filter occur when the interface is temporarily quarantined by Firewall service. The firewall service quarantines an interface when it detects a change on the network, and based on several other factors, the firewall service may put the interface in quarantine as a safeguard. When an interface is in quarantine, the quarantine default block filter will block any new non-loopback inbound connections.
Run the following PowerShell command to generate more information about the interface:
```Powershell
Get-NetIPInterface InterfaceIndex <Interface Index>
Get-NetIPInterface InterfaceIndex 5
```
![Quarantine default block filter](images/quarantine-default-block-filter.png)
To learn more about the quarantine feature, see [Quarantine behavior](quarantine.md).
>[!NOTE]
> Quarantine-related packet drops are often transient and signify nothing more than a network change on the interface.
**Query user default**
Network packet drops from query user default block filters occur when there is no explicit rule created to allow an inbound connection for the packet. When an application binds to a socket but does not have a corresponding inbound rule to allow packets on that port, Windows generates a pop up for the user to allow or deny the app to receive packets on the available network categories. If the user clicks to deny the connection in this popup, subsequent inbound packets to the app will be dropped. To resolve the drops:
1. Create an inbound firewall rule to allow the packet for this application. This will allow the packet to bypass any query user default block filters.
2. Delete any block query user rules that may have been auto generated by the firewall service.
To generate a list of all the query user block rules, you can run the following PowerShell command:
```Powershell
Get-NetFirewallRule | Where {$_.Name -like "*Query User*"}
```
![Query user default block filter](images/query-user-default-block-filters.png)
The query user pop-up feature is enabled by default.
To disable the query user pop-up, you can run the following in administrative command prompt:
```Console
Netsh set allprofiles inboundusernotification disable
```
Or in PowerShell:
```Powershell
Set-NetFirewallProfile -NotifyOnListen False
```
**Stealth**
Network drops from stealth filters are typically made to prevent port scanning.
To disable stealth-mode, see [Disable stealth mode in Windows](https://docs.microsoft.com/troubleshoot/windows-server/networking/disable-stealth-mode).
**UWP default**
Network drops from Universal Windows Platform (UWP) default inbound/outbound block filters are often caused by the UWP app not being configured correctly (that is, the UWP app is missing the correct capability tokens or loopback is not enabled) or the private range is configured incorrectly.
For more information on how to debug drops caused by UWP default block filters, see [Troubleshooting UWP App Connectivity Issues](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall).
**WSH default**
Network drops from Windows Service Hardening (WSH) default filters indicate that there wasnt an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected.

41
windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md Normal file
View File

@ -0,0 +1,41 @@
---
title: Troubleshooting Windows Firewall settings after a Windows upgrade
description: Firewall settings lost on upgrade
ms.reviewer:
ms.author: v-bshilpa
ms.prod: w10
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: Benny-54
manager: dansimp
ms.collection:
- m365-security-compliance
- m365-initiative-windows-security
ms.topic: troubleshooting
---
# Troubleshooting Windows Firewall settings after a Windows upgrade
Use this article to troubleshoot firewall settings that are turned off after upgrading to a new version of Windows.
## Rule groups
To help you organize your list, individual built-in firewall rules are categorized within a group. For example, the following rules form part of the Remote Desktop group.
- Remote Desktop Shadow (TCP-In)
- Remote Desktop User Mode (TCP-In)
- Remote Desktop User-Mode (UDP-In)
Other group examples include **core networking**, **file and print sharing**, and **network discovery**. Grouping allows admins to manage sets of similar rules by filtering on categories in the firewall interface (wf.msc). Do this by right-clicking on either **Inbound** or **Outbound Rules** and selecting **Filter by Group**. Optionally, you can use PowerShell using the `Get-NetFirewallRule` cmdlet with the `-Group` switch.
```Powershell
Get-NetFirewallRule -Group <groupName>
```
> [!NOTE]
> Microsoft recommends to enable or disable an entire group instead of individual rules.
Microsoft recommends that you enable/disable all of the rules within a group instead of one or two individual rules. This is because groups are not only used to organize rules and allow batch rule modification by type, but they also represent a 'unit' by which rule state is maintained across a Windows upgrade. Rule groups, as opposed to individual rules, are the unit by which the update process determines what should be enabled/disabled when the upgrade is complete.
For example, the Remote Desktop group consists of three rules. To ensure that the rule set is properly migrated during an upgrade, all three rules must be enabled. If only one rule is enabled, the upgrade process will see that two of three rules are disabled and subsequently disable the entire group to maintain a clean, out-of-the-box configuration. This scenario has the unintended consequence of breaking Remote Desktop Protocol (RDP) connectivity to the host.

BIN
windows/security/threat-protection/windows-firewall/images/event-audit-5157.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 147 KiB

BIN
windows/security/threat-protection/windows-firewall/images/event-properties-5157.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 130 KiB

BIN
windows/security/threat-protection/windows-firewall/images/firewallrule.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 124 KiB

BIN
windows/security/threat-protection/windows-firewall/images/quarantine-default-block-filter.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/security/threat-protection/windows-firewall/images/quarantine-default1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 182 KiB

BIN
windows/security/threat-protection/windows-firewall/images/quarantine-interfaceindex1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 78 KiB

BIN
windows/security/threat-protection/windows-firewall/images/query-user-default-block-filters.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 182 KiB

213
windows/security/threat-protection/windows-firewall/quarantine.md Normal file
View File

@ -0,0 +1,213 @@
---
title: Quarantine behavior
description: Quarantine behavior is explained in detail.
ms.author: v-bshilpa
author: Benny-54
manager: dansimp
ms.assetid:
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: normal
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 11/17/2020
---
# Quarantine behavior
One of the security challenges that network admins face is configuring a machine properly after a network change.
Network changes can happen frequently. Additionally, the operations required to recategorize the network after a change and apply the correct security policies on a machine are non-trivial and may require considerable CPU time. This is especially true for machines that are part of the domain. In the past, the delay in applying security policies during network recategorization has been successfully exploited for vulnerabilities.
To counter this potential exploitation, Windows Firewall will quarantine an interface until the system has successfully recategorized the network and Windows Filtering Platform (WFP) has the correct filters applied for the updated interface configuration. During quarantine, all new inbound connections without exceptions are blocked to the machine.
While the quarantine feature has long been a part of Windows Firewall, the feature behavior has often caused confusion for customers unaware of quarantine and its motivations.
Ultimately, the goal of this document is to describe the quarantine feature at a high level and help network admins understand why the application traffic is sometimes blocked by quarantine.
## Quarantine filters
The quarantine feature creates filters that can be split into three categories:
- Quarantine default inbound block filter
- Quarantine default exception filters
- Interface un-quarantine filters
These filters are added in the FWPM_SUBLAYER_MPSSVC_QUARANTINE sublayer and these layers are:
1. FWPM_LAYER_ALE_AUTH_CONNECT_V4
2. FWPM_LAYER_ALE_AUTH_CONNECT_V6
3. FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
4. FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6
>[!NOTE]
> Any firewall rules added by the customers will not affect the filters in the quarantine sublayer as filters from Firewall rules are added in the FWPM_SUBLAYER_MPSSVC_WF sublayer. In other words, customers cannot add their own exception filters to prevent packets from being evaluated by quarantine filters.
For more information about WFP layers and sublayers, see [WFP Operation](https://docs.microsoft.com/windows/win32/fwp/basic-operation).
### Quarantine default inbound block filter
The quarantine default inbound block filter effectively blocks any new non-loopback inbound connections if the packet is not explicitly permitted by another filter in the quarantine sublayer.
### Quarantine default exception filters
When the interface is in quarantine state, the quarantine default exception filters will permit new inbound connections given that they meet the conditions of an exception filter. One example of the exception filters is the quarantine default inbound loopback exception filter. This exception filter allows all loopback packets when the interface is in quarantine state.
### Interface un-quarantine filter
The interface un-quarantine filters allow all non-loopback packets if the interface is successfully categorized.
## Quarantine flow
The following describes the general flow of quarantine:
1. There is some change on the current network interface.
2. The interface un-quarantine filters will no longer permit new inbound connections. The interface is now in quarantine state.
3. All non-loopback inbound connections are either permitted by quarantine default exception filters or dropped by the quarantine default inbound block filter.
4. The WFP filters applicable to the old interface state are removed.
5. The WFP filters applicable to the new interface state are added, which include the un-quarantine filters for this interface. These filters are updated to match the interface's current state.
6. The interface has now exited quarantine state as the interface un-quarantine filters permit any new non-loopback packets.
## Quarantine diagnostics
There are two methods of identifying packet drops from the quarantine default inbound block filter.
Given that the network connectivity issue is reproducible, diagnostic traces can be collected by running the following in an administrative command prompt:
```console
Netsh wfp cap start
<Reproduce network connectivity issue>
Netsh wfp cap stop
```
These commands generate a wfpdiag.cab. Inside the .cab exists a wfpdiag.xml, which contains drop `netEvents` and filters that existed during that reproduction.
Inside the wfpdiag.xml, search for `netEvents` that have `FWPM_NET_EVENT_TYPE_CLASSIFY_DROP` as the `netEvent` type. To find the relevant drop events, search for the drop events with matching destination IP address, package SID, or application ID name.
The characters in the application ID name will be separated by periods:
```XML
<asString> \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.w.i.n.d.o.w.s.\\.s.y.s.t.e.m.3.2.\\.s.v.c.h.o.s.t...e.x.e... </asString>
```
The `netEvent` will have more information about the packet that was dropped including information about its capabilities, the filter that dropped the packet, and much more.
If the filter that dropped that packet was by the quarantine default inbound block filter, then the drop `netEvent` will have `filterOrigin` as `Quarantine Default`.
The following is a sample `netEvent` with `filterOrigin` as `Quarantine Default`.
```XML
<netEvent>
<header>
<timeStamp>2020-10-07T01:03:56.281Z</timeStamp>
<flags numItems="9">
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
</flags>
<ipVersion>FWP_IP_VERSION_V4</ipVersion>
<ipProtocol>17</ipProtocol>
<localAddrV4>255.255.255.255</localAddrV4>
<remoteAddrV4>10.195.33.252</remoteAddrV4>
<localPort>21</localPort>
<remotePort>61706</remotePort>
<scopeId>0</scopeId>
<appId>
<data>5c00640065006d00330032005c0073007600630068006f00730074002e006500780065000000</data>
<asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e...</asString>
</appId>
<userId>S-1-5-19</userId>
<addressFamily>FWP_AF_INET</addressFamily>
<packageSid>S-1-0-0</packageSid>
<enterpriseId/>
<policyFlags>0</policyFlags>
<effectiveName/>
</header>
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
<classifyDrop>
<filterId>66241</filterId>
<layerId>44</layerId>
<reauthReason>0</reauthReason>
<originalProfile>0</originalProfile>
<currentProfile>0</currentProfile>
<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
<isLoopback>false</isLoopback>
<vSwitchId/>
<vSwitchSourcePort>0</vSwitchSourcePort>
<vSwitchDestinationPort>0</vSwitchDestinationPort>
</classifyDrop>
<internalFields>
<internalFlags numItems="1">
<item>FWPM_NET_EVENT_INTERNAL_FLAG_FILTER_ORIGIN_SET</item>
</internalFlags>
<capabilities/>
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="3">
<item>
<filterId>66241</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_QUARANTINE</subLayer>
<actionType>FWP_ACTION_BLOCK</actionType>
</item>
<item>
<filterId>74045</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH</subLayer>
<actionType>FWP_ACTION_BLOCK</actionType>
</item>
<item>
<filterId>73602</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_BLOCK</actionType>
</item>
</terminatingFiltersInfo>
<filterOrigin>Quarantine Default</filterOrigin>
<interfaceIndex>5</interfaceIndex>
</internalFields>
</netEvent>
```
Alternatively, If the Filtering Platform Connection failure auditing is enabled, the drop event will be logged in Windows Event Viewer.
To enable Filtering Platform Connection audits, run the following command in an administrative command prompt:
```console
Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable
```
Sample drop audit with `filterOrigin` as `Quarantine Default`.
![Quarantine default](images/quarantine-default1.png)
Once the drops filter origin has been identified as the quarantine default inbound block filter, the interface should be further investigated. To find the relevant interface, use the `InterfaceIndex` value from the `netEvent` or event audit in the following PowerShell command to generate more information about the interface:
```Powershell
Get-NetIPInterface InterfaceIndex <Interface Index>
Get-NetIPInterface InterfaceIndex 5
```
![Quarantine Interfaceindex](images/quarantine-interfaceindex1.png)
Using the interface name, event viewer can be searched for any interface related changes.
To enable more networking audit events, see [Enable IPsec and Windows Firewall Audit Events](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754714(v=ws.10)?redirectedfrom=MSDN).
Packet drops from the quarantine default inbound block filter are often transient and do not signify anything more than a network change on the interface.