deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-26 07:43:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into mdatp-seccon-mgmt-lomayor

Browse Source
This commit is contained in:
lomayor
2019-06-27 14:20:17 -07:00
parent 0bed48a791 866b2d3e32
commit 1ffe9c3fd0
452 changed files with 2032 additions and 1057 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
windows/security/threat-protection/TOC.md
View File

@ -72,6 +72,7 @@
#### [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
##### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)
#####[Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)
#### [Secure score](microsoft-defender-atp/overview-secure-score.md)
@ -515,7 +516,7 @@
##### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
##### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
###### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
###### [How to list XML elements in <EventData>](auditing/how-to-list-xml-elements-in-eventdata.md)
###### [How to list XML elements in \<EventData>](auditing/how-to-list-xml-elements-in-eventdata.md)
###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md)

23
windows/security/threat-protection/microsoft-defender-atp/TOC.md
View File

@ -4,6 +4,10 @@
### [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
#### [What's in the dashboard and what it means for my organization](tvm-dashboard-insights.md)
#### [Configuration score](configuration-score.md)
#### [Security recommendation](tvm-security-recommendation.md)
#### [Remediation](tvm-remediation.md)
#### [Software inventory](tvm-software-inventory.md)
#### [Weaknesses](tvm-weaknesses.md)
#### [Scenarios](threat-and-vuln-mgt-scenarios.md)
@ -75,6 +79,7 @@
### [Automated investigation and remediation](automated-investigations.md)
#### [Learn about the automated investigation and remediation dashboard](manage-auto-investigation.md)
#### [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md)
### [Secure score](overview-secure-score.md)
@ -82,14 +87,12 @@
### [Microsoft Threat Experts](microsoft-threat-experts.md)
### [Threat analytics](threat-analytics.md)
### [Advanced hunting](overview-hunting.md)
#### [Query data using Advanced hunting](advanced-hunting.md)
##### [Advanced hunting reference](advanced-hunting-reference.md)
##### [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
#### [Custom detections](overview-custom-detections.md)
#####[Create custom detections rules](custom-detection-rules.md)
##### [Create custom detections rules](custom-detection-rules.md)
### [Management and APIs](management-apis.md)
#### [Understand threat intelligence concepts](threat-indicator-concepts.md)
@ -119,7 +122,7 @@
### [Assign user access to the portal](assign-portal-access.md)
### [Evaluate Microsoft Defender ATP](evaluate-atp.md)
####Evaluate attack surface reduction
#### Evaluate attack surface reduction
##### [Hardware-based isolation](../windows-defender-application-guard/test-scenarios-wd-app-guard.md)
##### [Application control](../windows-defender-application-control/audit-windows-defender-application-control-policies.md)
##### [Exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
@ -133,7 +136,7 @@
## [Configure and manage capabilities](onboard.md)
### [Configure attack surface reduction](configure-attack-surface-reduction.md)
###Hardware-based isolation
### Hardware-based isolation
#### [System integrity](../windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
#### [Application isolation](../windows-defender-application-guard/install-wd-app-guard.md)
##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md)
@ -368,7 +371,7 @@
### Configure Microsoft Threat Protection integration
#### [Configure Conditional Access](configure-conditional-access.md)
#### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md)
####[Configure information protection in Windows](information-protection-in-windows-config.md)
#### [Configure information protection in Windows](information-protection-in-windows-config.md)
### [Configure Microsoft Defender Security Center settings](preferences-setup.md)
@ -390,14 +393,14 @@
##### [Enable Threat intel](enable-custom-ti.md)
##### [Enable SIEM integration](enable-siem-integration.md)
####Rules
#### Rules
##### [Manage suppression rules](manage-suppression-rules.md)
##### [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md)
##### [Manage indicators](manage-indicators.md)
##### [Manage automation file uploads](manage-automation-file-uploads.md)
##### [Manage automation folder exclusions](manage-automation-folder-exclusions.md)
####Machine management
#### Machine management
##### [Onboarding machines](onboard-configure.md)
##### [Offboarding machines](offboard-machines.md)
@ -406,7 +409,7 @@
## [Troubleshoot Microsoft Defender ATP](troubleshoot-overview.md)
###Troubleshoot sensor state
### Troubleshoot sensor state
#### [Check sensor state](check-sensor-status.md)
#### [Fix unhealthy sensors](fix-unhealthy-sensors.md)
#### [Inactive machines](fix-unhealthy-sensors.md#inactive-machines)
@ -416,7 +419,7 @@
### [Troubleshoot Microsoft Defender ATP service issues](troubleshoot-mdatp.md)
#### [Check service health](service-status.md)
###Troubleshoot attack surface reduction
### Troubleshoot attack surface reduction
#### [Network protection](../windows-defender-exploit-guard/troubleshoot-np.md)
#### [Attack surface reduction rules](../windows-defender-exploit-guard/troubleshoot-asr.md)
#### [Collect diagnostic data for files](../windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md)

54
windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md Normal file
View File

@ -0,0 +1,54 @@
---
title: Manage actions related to automated investigation and remediation
description: Use the action center to manage actions related to automated investigation and response
keywords: action, center, autoir, automated, investigation, response, remediation
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Manage actions related to automated investigation and remediation
The Action center aggregates all investigations that require an action for an investigation to proceed or be completed.
![Image of Action center page](images/action-center.png)
The action center consists of two main tabs:
- Pending actions - Displays a list of ongoing investigations that require attention. A recommended action is presented to the analyst, which they can approve or reject.
- History - Acts as an audit log for:
- All actions taken by AutoIR or approved by an analyst with ability to undo actions that support this capability (for example, quarantine file).
- All commands ran and remediation actions applied in Live Response with ability to undo actions that support this capability.
- Remediation actions applied by Windows Defender AV with ability to undo actions that support this capability.
Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
>[!NOTE]
>The tab will only appear if there are pending actions for that category.
### Approve or reject an action
You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.
Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed.
From the panel, you can click on the Open investigation page link to see the investigation details.
You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations.
## Related topics
- [Automated investigation and investigation](automated-investigations.md)
- [Learn about the automated investigations dashboard](manage-auto-investigation.md)

2
windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
View File

@ -56,7 +56,7 @@ During an Automated investigation, details about each analyzed entity is categor
The **Log** tab reflects the chronological detailed view of all the investigation actions taken on the alert.
If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions.
If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. You can also go to the **Action center** to get an aggregated view all pending actions and manage remediaton actions. It also acts as an audit trail for all Automated investigation actions.
### How an Automated investigation expands its scope

11
windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
View File

@ -1,6 +1,5 @@
---
title: Overview of Configuration score in Microsoft Defender Security Center
ms.reviewer:
description: Expand your visibility into the overall security configuration posture of your organization
keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline
search.product: eADQiWindows 10XVcnh
@ -9,8 +8,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: mjcaparas
author: mjcaparas
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@ -25,7 +24,7 @@ ms.date: 04/11/2019
[!include[Prerelease information](prerelease.md)]
>[!NOTE]
> Secure score is now part of Threat & Vulnerability Management as Configuration score. Well keep the secure score page available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection) page.
> Secure score is now part of Threat & Vulnerability Management as Configuration score. Well keep the secure score page available for a few weeks. View the [Secure score](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over your organization's security posture based on security best practices.
@ -54,4 +53,8 @@ The goal is to improve your configuration score by remediating the issues in the
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)

5
windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
View File

@ -1,8 +1,8 @@
---
title: Evaluate Microsoft Defender Advanced Threat Protection
ms.reviewer:
description:
keywords:
description: Evaluate the different security capabilities in Microsoft Defender ATP.
keywords: attack surface reduction, evaluate, next, generation, protection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -16,7 +16,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 08/10/2018
---
# Evaluate Microsoft Defender ATP

BIN
windows/security/threat-protection/microsoft-defender-atp/images/action-center.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/event-hub-resource-id.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.0 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/storage-account-event-schema.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 78 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/storage-account-resource-id.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.9 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-menu.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_dashboard.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 137 KiB

After

Width:  |  Height:  |  Size: 167 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_details.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 69 KiB

After

Width:  |  Height:  |  Size: 134 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_software_page_details.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 54 KiB

After

Width:  |  Height:  |  Size: 72 KiB

3
windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
View File

@ -22,8 +22,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
The machines status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions.
The dashboard is structured into two sections:

12
windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
View File

@ -68,13 +68,13 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
2. Select **Create a suppression rule**.
You can create a suppression rule based on the following attributes:
You can create a suppression condition using these attributes. An AND operator is applied between each condition, so suppression occurs only if all conditions are met.
* File hash
* File name - wild card supported
* File path - wild card supported
* IP
* URL - wild card supported
* File SHA1
* File name - wildcard supported
* Folder path - wildcard supported
* IP address
* URL - wildcard supported
3. Select the **Trigerring IOC**.

32
windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
View File

@ -162,37 +162,9 @@ If there are pending actions on an Automated investigation, you'll see a pop up
![Image of pending actions](images/pending-actions.png)
When you click on the pending actions link, you'll be taken to the pending actions page. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Pending actions**.
When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Action center**. For more information, see [Action center](auto-investigation-action-center.md).
The pending actions view aggregates all investigations that require an action for an investigation to proceed or be completed.
![Image of pending actions page](images/atp-pending-actions-list.png)
Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
Pending actions are grouped together in the following tabs:
- Quarantine file
- Remove persistence
- Stop process
- Expand pivot
- Quarantine service
>[!NOTE]
>The tab will only appear if there are pending actions for that category.
### Approve or reject an action
You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.
Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed.
![Image of pending action selected](images/atp-pending-actions-file.png)
From the panel, you can click on the Open investigation page link to see the investigation details.
You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations.
## Related topic
- [Investigate Microsoft Defender ATP alerts](investigate-alerts.md)
- [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md)

25
windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
View File

@ -1,6 +1,5 @@
---
title: Next-generation Threat & Vulnerability Management
ms.reviewer:
description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
keywords: threat and vulnerability management, MDATP-TVM, vulnerability management, threat and vulnerability scanning
search.product: eADQiWindows 10XVcnh
@ -9,8 +8,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: mjcaparas
author: mjcaparas
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@ -24,16 +23,14 @@ ms.topic: conceptual
[!include[Prerelease information](prerelease.md)]
Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrustructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
## Next-generation capabilities
Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase.
It is the first solution in the industry to automate the remediation process through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) for patching, configuration changes, or upgrades.
>[!Note]
> Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks.
It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
@ -44,21 +41,21 @@ It provides the following solutions to frequently-cited gaps across security ope
To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides:
- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard.
- Visibility into software and vulnerabilities. Optics into the organizations software inventory, as well as software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
- Application runtime context. Constant visibility into application usage patterns for better prioritization and decision-making. Critical dependencies, such as vulnerable runtime libraries being loaded by other applications, are made visible.
- Configuration posture. Visibility into organizational security configuration, surfacing issues like disabled antivirus, enabled SMBv1, or misconfigurations that could allow escalation of privileges. Issues are reported in the dashboard with actionable security recommendations.
- Visibility into software and vulnerabilities. Optics into the organizations software inventory, and software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
- Application runtime context. Visibility on application usage patterns for better prioritization and decision-making.
- Configuration posture. Visibility into organizational security configuration or misconfigurations. Issues are reported in the dashboard with actionable security recommendations.
### Intelligence-driven prioritization
Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context:
- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk.
- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization.
- Protecting high-value assets. Microsoft Defender ATPs integration with Azure Information Protection allows Threat & Vulnerability Management to call attention to exposed machines with business-critical applications, confidential data, or high-value users.
- Protecting high-value assets. Microsoft Defender ATPs integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed machines with business-critical applications, confidential data, or high-value users.
### Seamless remediation
Microsoft Defender ATPs Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
- One-click remediation requests to IT. Through Microsoft Defender ATPs integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click. We plan to expand this capability to other IT security management platforms.
- Remediation requests to IT. Through Microsoft Defender ATPs integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms.
- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
@ -66,3 +63,7 @@ Microsoft Defender ATPs Threat & Vulnerability Management allows security adm
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Configuration score](configuration-score.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)

89
windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md Normal file
View File

@ -0,0 +1,89 @@
---
title: Stream Microsoft Defender Advanced Threat Protection events.
description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to your Event Hub.
keywords: raw data export, streaming API, API, Azure Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Azure Event Hubs
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Before you begin:
1. Create an [event hub](https://docs.microsoft.com/en-us/azure/event-hubs/) in your tenant.
2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.
## Enable raw data streaming:
1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) with a Global Admin user.
2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
3. Click on **Add data export settings**.
4. Choose a name for your new settings.
5. Choose **Forward events to Azure Event Hubs**.
6. Type your **Event Hubs name** and your **Event Hubs resource ID**.
In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**:
![Image of event hub resource Id](images/event-hub-resource-id.png)
7. Choose the events you want to stream and click **Save**.
## The schema of the events in Azure Event Hubs:
```
{
"records": [
{
"time": "<The time WDATP received the event>"
"tenantId": "<The Id of the tenant that the event belongs to>"
"category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
"properties": { <WDATP Advanced Hunting event as Json> }
}
...
]
}
```
- Each event hub message in Azure Event Hubs contains list of records.
- Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](overview-hunting.md).
## Data types mapping:
To get the data types for event properties do the following:
1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
2. Run the following query to get the data types mapping for each event:
```
{EventType}
| getschema
| project ColumnName, ColumnType
```
- Here is an example for Machine Info event:
![Image of event hub resource Id](images/machine-info-datatype-example.png)
## Related topics
- [Overview of Advanced Hunting](overview-hunting.md)
- [Microsoft Defender ATP streaming API](raw-data-export.md)
- [Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)
- [Azure Event Hubs documentation](https://docs.microsoft.com/en-us/azure/event-hubs/)

89
windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md Normal file
View File

@ -0,0 +1,89 @@
---
title: Stream Microsoft Defender Advanced Threat Protection events.
description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to your Storage account.
keywords: raw data export, streaming API, API, Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Storage account
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Before you begin:
1. Create a [Storage account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview) in your tenant.
2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.
## Enable raw data streaming:
1. Log in to [Microsoft Defender ATP portal](https://securitycenter.windows.com) with Global Admin user.
2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
3. Click on **Add data export settings**.
4. Choose a name for your new settings.
5. Choose **Forward events to Azure Storage**.
6. Type your **Storage Account Resource Id**. In order to get your **Storage Account Resource Id**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**:
![Image of event hub resource Id](images/storage-account-resource-id.png)
7. Choose the events you want to stream and click **Save**.
## The schema of the events in the Storage account:
- A blob container will be created for each event type:
![Image of event hub resource Id](images/storage-account-event-schema.png)
- The schema of each row in a blob is the following JSON:
```
{
"time": "<The time WDATP received the event>"
"tenantId": "<Your tenant ID>"
"category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
"properties": { <WDATP Advanced Hunting event as Json> }
}
```
- Each blob contains multiple rows.
- Each row contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](overview-hunting.md).
## Data types mapping:
In order to get the data types for our events properties do the following:
1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
2. Run the following query to get the data types mapping for each event:
```
{EventType}
| getschema
| project ColumnName, ColumnType
```
- Here is an example for Machine Info event:
![Image of event hub resource ID](images/machine-info-datatype-example.png)
## Related topics
- [Overview of Advanced Hunting](overview-hunting.md)
- [Microsoft Defender Advanced Threat Protection Streaming API](raw-data-export.md)
- [Stream Microsoft Defender Advanced Threat Protection events to your Azure storage account](raw-data-export-storage.md)
- [Azure Storage Account documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview)

43
windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md Normal file
View File

@ -0,0 +1,43 @@
---
title: Stream Microsoft Defender Advanced Threat Protection event
description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to Event Hubs or Azure storage account
keywords: raw data export, streaming API, API, Event hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Raw Data Streaming API (Preview)
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Stream Advanced Hunting events to Event Hubs and/or Azure storage account.
Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](overview-hunting.md) to an [Event Hubs](https://docs.microsoft.com/en-us/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/en-us/azure/event-hubs/).
## In this section
Topic | Description
:---|:---
[Stream Microsoft Defender ATP events to Azure Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](overview-hunting.md) to Event Hubs.
[Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](overview-hunting.md) to your Azure storage account.
## Related topics
- [Overview of Advanced Hunting](overview-hunting.md)
- [Azure Event Hubs documentation](https://docs.microsoft.com/en-us/azure/event-hubs/)
- [Azure Storage Account documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview)

241
windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
View File

@ -1,108 +1,133 @@
---
title: Threat & Vulnerability Management scenarios
ms.reviewer:
description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when collaborating with IT Administrators and SecOps while protecting their organization from cybersecurity threats.
keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: mjcaparas
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Threat & Vulnerability Management scenarios
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
## Before you begin
Ensure that your machines:
- Are onboarded to Microsoft Defender Advanced Threat Protection
- Running with Windows 10 1709 (Fall Creators Update) or later
- Have the following mandatory updates installed:
- (1) RS3 customers | [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441)
- (2) RS4 customers | [KB4493464](https://support.microsoft.com/en-us/help/4493464)
- Have at least one security recommendation that can be viewed in the machine page
- Are tagged or marked as co-managed
## Reduce your threat and vulnerability exposure
Threat & Vulnerability Management introduces a new exposure score metric which visually represents how exposed your machines are to imminent threats.
The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
- Weaknesses, such as vulnerabilities and misconfigurations discovered on the device
- External and internal threats such as public exploit code and security alerts
- Likelihood of the device getting breached given its current security posture
- Value of the device to the organization given its role and content
The exposure score is broken down into the following levels:
- 0 to 29: low exposure score
- 30 to 69: medium exposure score
- 70 to 100: high exposure score
You can reduce the exposure score by remediating issues based on prioritized security recommendations. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
To lower down your threat and vulnerability exposure:
1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. This opens the **Security recommendation** page.
>>![top security recommendations](images/tvm_security_recommendations.png)
>[!NOTE]
> There are two types of recommendations:
> - <i>Security update</i> which refers to recommendations that require a package installation
> - <i>Configuration</i> change which refers to recommendations that require a registry or GPO modification
> Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon or the possible alert activity [possible alert activity](images/tvm_alert_icon.png) icon.
2. In the **Security recommendations** page, you will see the description of what needs to be done and why. It shows the vulnerability details, such as the associated exploits affecting what machines and its business impact. Click **Open software page** option from the flyout menu. ![details in security recommendations page](images/tvm_security_recommendations_page.png)
3. Click **Installed machines** and select the affected machine from the list to open the flyout page with the relevant machine details, exposure and risk levels, alert and incident activities. ![details in software page](images/tvm_software_page_details.png)
4. Click **Open machine page** to connect to the machine and apply the selected recommendation. ![details in machine page](images/tvm_machine_page_details.png)
5. Allow a few hours for the changes to propagate in the system.
6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate won't be listed there anymore, and the exposure score should decrease.
## Improve your security configuration
>[!NOTE]
> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). Well keep the secure score page available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page.
Remediating issues in the security recommendations list will improve your configuration. As you do so, your configuration score improves, which means building your organization's resilience against cybersecurity threats and vulnerabilities stronger.
1. From the Configuration score widget, select **Security controls**. This opens the **Security recommendations** page showing the list of issues related to security controls.
>>![configuration score widget](images/tvm_config_score.png)
2. Select the first item on the list. This opens the flyout menu with the description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
![security controls related security recommendations](images/tvm_security_controls.png)
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
> >![request remediation](images/tvm_request_remediation.png).
>
> You will see a confirmation message that the remediation task has been created.
> ![remediation task creation confirmation](images/tvm_remediation_task_created.png)
4. Save your CSV file.
![save csv file](images/tvm_save_csv_file.png)
5. Send a follow up email to your IT Administrator and allow the time that you have alloted for the remediation to propagate in the system.
6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Configuration score](configuration-score.md)
---
title: Threat & Vulnerability Management scenarios
description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when collaborating with IT Administrators and SecOps while protecting their organization from cybersecurity threats.
keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Threat & Vulnerability Management scenarios
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
## Before you begin
Ensure that your machines:
- Are onboarded to Microsoft Defender Advanced Threat Protection
- Running with Windows 10 1709 (Fall Creators Update) or later
>[!NOTE]
>Threat & Vulnerability Management can also scan machines running on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities coming from patch Tuesday.
- Have the following mandatory updates installed:
- (1) RS3 customers | [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441)
- (2) RS4 customers | [KB4493464](https://support.microsoft.com/en-us/help/4493464)
- Are onboarded to Microsoft Intune and System Center Configuration Manager (SCCM). If you are using SCCM, update your console to the latest May version 1905
- Have at least one security recommendation that can be viewed in the machine page
- Are tagged or marked as co-managed
## Reduce your threat and vulnerability exposure
Threat & Vulnerability Management introduces a new exposure score metric which visually represents how exposed your machines are to imminent threats.
The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
- Weaknesses, such as vulnerabilities discovered on the device
- External and internal threats such as public exploit code and security alerts
- Likelihood of the device getting breached given its current security posture
- Value of the device to the organization given its role and content
The exposure score is broken down into the following levels:
- 0 to 29: low exposure score
- 30 to 69: medium exposure score
- 70 to 100: high exposure score
You can reduce the exposure score by remediating issues based on prioritized security recommendations. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
To lower down your threat and vulnerability exposure:
1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. This opens the **Security recommendation** page.
>>![top security recommendations](images/tvm_security_recommendations.png)
>[!NOTE]
> There are two types of recommendations:
> - <i>Security update</i> which refers to recommendations that require a package installation
> - <i>Configuration</i> change which refers to recommendations that require a registry or GPO modification
> Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon and possible active alert ![possible active alert](images/tvm_alert_icon.png) icon.
2. In the **Security recommendations** page, you will see the description of what needs to be done and why. It shows the vulnerability details, such as the associated exploits affecting what machines and its business impact. Click **Open software page** option from the flyout menu. ![details in security recommendations page](images/tvm_security_recommendations_page.png)
3. Click **Installed machines** and select the affected machine from the list to open the flyout page with the relevant machine details, exposure and risk levels, alert and incident activities. ![details in software page ](images/tvm_software_page_details.png)
4. Click **Open machine page** to connect to the machine and apply the selected recommendation. ![details in machine page](images/tvm_machine_page_details.png)
5. Allow a few hours for the changes to propagate in the system.
6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate won't be listed there anymore, and the exposure score should decrease.
## Improve your security configuration
>[!NOTE]
> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). Well keep the secure score page available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page.
Remediating issues in the security recommendations list will improve your configuration. As you do so, your configuration score improves, which means building your organization's resilience against cybersecurity threats and vulnerabilities stronger.
1. From the Configuration score widget, select **Security controls**. This opens the **Security recommendations** page showing the list of issues related to security controls.
>>![configuration score widget](images/tvm_config_score.png)
2. Select the first item on the list. This opens the flyout menu with the description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
![security controls related security recommendations](images/tvm_security_controls.png)
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
>>![request remediation](images/tvm_request_remediation.png).
>You will see a confirmation message that the remediation task has been created.
>![remediation task creation confirmation](images/tvm_remediation_task_created.png)
4. Save your CSV file.
![save csv file](images/tvm_save_csv_file.png)
5. Send a follow up email to your IT Administrator and allow the time that you have alloted for the remediation to propagate in the system.
6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be be listed there anymore, and your configuration score should increase.
## Request a remediation
>[!NOTE]
>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow.
Security Administrators like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
1. Click on a security recommendation you would like to request remediation for, and then click **Remediation options**.
2. Select **Open a ticket in Intune (for AAD joined devices)**, select a due date, and add optional notes for the IT Administrator. Click **Submit request**.
3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
4. Go to the **Remediation** page to view the status of your remediation request.
See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/atp-manage-vulnerabilities) for details.
>[!NOTE]
>If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to Intune.
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)

34
windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
View File

@ -1,6 +1,5 @@
---
title: What's in the dashboard and what it means for my organization's security posture
ms.reviewer:
description: What's in the Threat & Vulnerability Management dashboard and how it can help SecOps and Security Administrators arrive at informed decisions in addressing cybersecurity threat vulnerabilities and building their organization's security resilience.
keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score
search.product: eADQiWindows 10XVcnh
@ -9,8 +8,8 @@ ms.prod: eADQiWindows 10XVcnh
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: ellevin
author: levinec
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@ -22,18 +21,15 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
[!include[Prerelease information](prerelease.md)]
Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable machine vulnerability context during incident investigations
- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM)
>[!NOTE]
> Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks.
You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines
- Correlate EDR insights with endpoint vulnerabilities and process them
@ -44,7 +40,7 @@ When you open the portal, youll see the main areas of the capability:
![Microsoft Defender Advanced Threat Protection portal](images/tvm_dashboard.png)
![Threat & Vulnerability Management menu](images/tvm_menu.png)
![Threat & Vulnerability Management menu](images/tvm-menu.png)
- (1) Menu in the navigation pane
- (2) Threat & Vulnerability Management icon
@ -55,23 +51,29 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities.
(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, and **Software inventory**.
(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**.
**Dashboards** | Get a high-level view of the organization exposure score, MDATP configuration score, top remediation activities, top security recommendations, top vulnerable software, and top exposed machines data.
**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list and it will open a flyout pane where you will see vulnerability details, and have the option to open the software page, and see the remediation options.
**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV.
**Software inventory** | See the list of applications, versions, weaknesses, whether theres an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the vulnerabilities and misconfigurations associated and its machine and version distribution details.
(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, **Top exposed machines**, and **Threat campaigns**.
**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list and it will open a flyout pane where you will see vulnerability details, open the software page, and see the remediation options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
**Remediation** | See the remediation activity, related component, remediation type, status, due date, and option to export the remediation and process data to CSV. See [Remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information.
**Software inventory** | See the list of applications, versions, weaknesses, whether theres an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
**Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a fly-in page with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information.
(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**.
**Selected machine groups (#/#)** | Filter the Threat & Vulnerability Management data that you want to see in the dashboard and widgets by machine groups. What you select in the filter will be applied throughout the Threat & Vulnerability management pages only.
**Organization Exposure score** | See the current state of your organizations device exposure to threats and vulnerabilities. Several factors affect your organizations exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down your organizations exposure score to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
**MDATP Configuration score** | See the security posture of your organizations operating system, applications, network, accounts and security controls. The goal is to increase your configuration score by remediating the related security configuration issues. You can click the bars and it will take you to the **Security recommendation** page for details.
**MDATP Configuration score** | See the security posture of your organizations operating system, applications, network, accounts and security controls. The goal is to increase your configuration score by remediating the related security configuration issues. You can click the bars and it will take you to the **Security recommendation** page for details. See [Configuration score](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configuration-score) for more information.
**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it will take you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, OS platform, its health state, when it was last seen, and its tags.
**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organizations risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts ![possible active alert](images/tvm_alert_icon.png), associated public exploits ![threat insight](images/tvm_bug_icon.png), and recommendation insights ![recommendation insight](images/tvm_insight_icon.png). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your networks devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable application list in the **Software inventory** page.
**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities.
**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list.
See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal.
See [Microsoft Defender ATP icons](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal.
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Configuration score](configuration-score.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)

64
windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md Normal file
View File

@ -0,0 +1,64 @@
---
title: Remediation
description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/11/2019
---
# Remediation
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
>[!NOTE]
>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
After your organization's cybersecurity weaknesses are identified and mapped to actionable security recommendations, you can start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
## Navigate through your remediation options
You'll see your remediation options when you select one of the security recommendation blocks from your **Top security recommendations** widget in the dashboard.
1. From the fly-in page, you'll see the security recommendation details including your next steps. Click **Remediation options**.
2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**.
>[!NOTE]
>If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to Intune.
3. Select a remediation due date.
4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is a part of compliance.
If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/atp-manage-vulnerabilities) for details.
## How it works
When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity.
It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation page**, and it also creates a remediation ticket in Microsoft Intune.
You also have the option to export all remediation activity data to CSV for records, reporting purposes, or if you want to notify your IT administration counterpart that a remediation ticket has been submitted.
The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task.
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Security recommendation](tvm-security-recommendation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)

68
windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md Normal file
View File

@ -0,0 +1,68 @@
---
title: Security recommendation
description: The weaknesses identified in the environment are mapped to actionable security recommendations and prioritized by their impact on the organizational exposure score.
keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/11/2019
---
# Security recommendation
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
The cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and SCCM. It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collect information from your environment.
## The basis of the security recommendation
Each machine in the organization is scored based on three important factors: threat, likelihood to be breached, and value, to help customers to focus on the right things at the right time.
- Threat - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the correponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
- Breach likelihood - Your organization's security posture and resilience against threats
- Business value - Your organization's assets, critical processes, and intellectual properties
## Navigate through your security recommendations
You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need as you require it.
There are security recommendations for application, operating system, network, accounts, and security controls.
In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
The top security recommendations lists down the improvement opportunities prioritized based on the three important factors mentioned in the previous section - threat, likelihood to be breached, and value.
You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, how many exposed devices are associated with the security recommendation, vulnerabilities, and other threats.
From that page, you can do any of the following depending on what you need to do:
- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, and charts so you can see the exposure trend over time.
- Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
- Choose from exception options - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive.
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Configuration score](configuration-score.md)
- [Remediation](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)

44
windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md Normal file
View File

@ -0,0 +1,44 @@
---
title: Software inventory
description: Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the software inventory page. You can see the name of the product, vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected.
keywords: microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/11/2019
---
# Software inventory
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
## Navigate through your software inventory
1. Select **Software inventory** from the Threat & Vulnerability management navigation menu.
2. In the **Software inventory** page, select the application that you want to investigate and a fly-in screen opens up with the software details, vendor information, prevalence in the organization, exposed machines, threat context, and its impact to your organization's exposure score.
3. In the fly-in screen, select **Open software page** to dive deeper into your software inventory. You will see how many weaknesses are discovered with the application, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified.
## How it works
In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment.
Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular application is connected to a live campaign. It also provides a link to a Threat Analytics report soon as it's available.
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Security recommendation](tvm-security-recommendation.md)
- [Remediation](tvm-remediation.md)
- [Weaknesses](tvm-weaknesses.md)

60
windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md Normal file
View File

@ -0,0 +1,60 @@
---
title: Weaknesses
description: The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, breach, and threat insights.
keywords: mdatp threat & vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/11/2019
---
# Weaknesses
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights.
## Navigate through your organization's weaknesses page
You can see the list of vulnerabilities in two ways:
*Global search*
1. Click the global search drop-down menu.
2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for. The **Weaknesses** page opens with the list of the vulnerabilities and details.
*Weaknesses page in the menu*
1. Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open up the list of vulnerabilities found in your organization.
2. Select the vulnerability that you want to investigate to open up a fly-in page with the vulnerability details, such as: CVE description, CVE ID, exploits available, severity, publish, and update dates.
## How it works
When new vulnerabilities are released, you would want know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page.
If the **Exposed Machines** column shows 0, that means you are not infected.
If there's a number in the **Exposed Machines**, that means you need to remediate the vulnerabilities in those machines because they put the rest of your assets and your organization at risk.
You can also see the related alert and threat insights in the **Threat** column.
>[!NOTE]
> Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon and possible active alert ![possible active alert](images/tvm_alert_icon.png) icon.
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Security recommendation](tvm-security-recommendation.md)
- [Remediation](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)

3
windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
View File

@ -28,6 +28,9 @@ The following features are generally available (GA) in the latest release of Mic
For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection).
## June 2019
- [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization.
## May 2019
- [Threat protection reports](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection)<BR>The threat protection report provides high-level information about alerts generated in your organization.

16
windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
View File

@ -38,8 +38,20 @@ Verify that the **Domain member: Disable machine account password changes** opti
### Best practices
1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions.
2. Do not use this policy setting in an attempt to support dual-boot scenarios that use the same machine account. If you want to dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to make it easier for organizations that stockpile pre-built computers that are put into production months later; those devices do not have to be rejoined to the domain.
1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions.
2. Do not use this policy setting in an attempt to support dual-boot scenarios that use the same machine account. If you want to dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to make it easier for organizations that stockpile pre-built computers that are put into production months later; those devices do not have to be rejoined to the domain.
3. You may consider using this policy setting in particular environments, such as the following:
- Non-persistent Virtual Desktop Infrastructure implementations. In such implementations, each session starts from a read-only base image.
- Embedded devices that do not have write access to the OS volume.
In either of these cases, a password change that was made during normal operations would be lost as soon as the session ends. We strongly recommend that you plan password changes for maintenance windows. Add the password changes to the updates and modifications that Windows performs during maintenance windows. To trigger a password update on a particular OS volume, use the following command:
```
Nltest /sc_change_pwd:<AD DS domain name>
```
In this command, **\<AD DS domain name\>** represents the domain of the local computer. For more information about maintenance windows and non-persistent VDI implementations, see [Optimizing Windows 10, version 1803, for a Virtual Desktop Infrastructure (VDI) role: VDI optimization principles: Non-Persistent VDI](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-1803#vdi-optimization-principles).
### Location

10
windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
View File

@ -28,19 +28,21 @@ Describes the best practices, location, values, and security considerations for
The **Domain member: Maximum machine account password age** policy setting determines when a domain member submits a password change.
In Active Directorybased domains, each device has an account and password. By default, the domain members submit a password change every 30 days. Increasing this interval significantly, or setting it to **0** so that a device no longer submits a password change, gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts.
In Active Directorybased domains, each device has an account and password. By default, the domain members submit a password change every 30 days. You can extend or reduce this interval. Additionally, you can use the policy **Domain member: Disable machine account password changes** to disable the password change requirement altogether. However, before you consider this option, review the implications as described in [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md).
> [!IMPORTANT]
> Significantly increasing the password change interval (or disabling password changes) gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts.
For more information, see [Machine Account Password Process](https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/).
### Possible values
- User-defined number of days between 0 and 999
- User-defined number of days between 1 and 999
- Not defined.
### Best practices
1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days.
Setting the value to fewer days can increase replication and impact domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would impact domain controllers in large organizations with many computers or slow links between sites.
1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and impact domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would impact domain controllers in large organizations with many computers or slow links between sites.
2. Some organizations pre-build computers and then store them for later use or ship them to remote locations. When a computer starts after being offline more than 30 days, the Netlogon service will notice the password age and initiate a secure channel to a domain controller to change it. If the secure channel cannot be established, the computer will not authenticate with the domain. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days.
### Location

6
windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
View File

@ -41,7 +41,7 @@ MpCmdRun.exe [command] [-options]
| Command | Description |
|:--------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------|
| \-? **or** -h | Displays all available options for this tool |
| \-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]] [-Timeout <days>] [-Cancel] | Scans for malicious software |
| \-Scan [-ScanType #] [-File \<path> [-DisableRemediation] [-BootSectorScan]] [-Timeout \<days>] [-Cancel] | Scans for malicious software |
| \-Trace [-Grouping #] [-Level #] | Starts diagnostic tracing |
| \-GetFiles | Collects support information |
| \-GetFilesDiagTrack | Same as Getfiles but outputs to temporary DiagTrack folder |
@ -49,11 +49,11 @@ MpCmdRun.exe [command] [-options]
| \-RemoveDefinitions [-DynamicSignatures] | Removes only the dynamically downloaded Security intelligence |
| \-RemoveDefinitions [-Engine] | Restores the previous installed engine |
| \-SignatureUpdate [-UNC \| -MMPC] | Checks for new Security intelligence updates |
| \-Restore [-ListAll \| [[-Name <name>] [-All] \| [-FilePath <filePath>]] [-Path <path>]] | Restores or lists quarantined item(s) |
| \-Restore [-ListAll \| [[-Name \<name>] [-All] \| [-FilePath \<filePath>]] [-Path \<path>]] | Restores or lists quarantined item(s) |
| \-AddDynamicSignature [-Path] | Loads dynamic Security intelligence |
| \-ListAllDynamicSignatures | Lists the loaded dynamic Security intelligence |
| \-RemoveDynamicSignature [-SignatureSetID] | Removes dynamic Security intelligence |
| \-CheckExclusion -path <path> | Checks whether a path is excluded |
| \-CheckExclusion -path \<path> | Checks whether a path is excluded |
## Related topics

4
windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
View File

@ -83,7 +83,7 @@ Open the Intune management portal either by searching for Intune on https://port
1. Description: *Optional*
1. OMA-URI: **./Vendor/MSFT/Defender/SharedSignatureRoot**
1. Data type: **String**
1. Value: **\\<sharedlocation>\wdav-update\** (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be)
1. Value: **\\<sharedlocation\>\wdav-update\** (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be)
1. Click **Ok** to close the details blade, then **OK** again to close the **Custom OMA-URI Settings** blade. Click **Create** to save the new profile. The profile details page now appears.
1. Click **Assignments**. The **Include** tab is automatically selected. In the drop-down menu, select **Selected Groups**, then click **Select groups to include**. Click the **VDI test VMs** group and then **Select**.
1. Click **Evaluate** to see how many users/devices will be impacted. If the number makes sense, click **Save**. If the number doesnt make sense, go back to the groups blade and confirm the group contains the right users or devices.
@ -94,7 +94,7 @@ Open the Intune management portal either by searching for Intune on https://port
1. In the **Group Policy Management Editor** go to **Computer configuration**.
1. Click **Administrative templates**.
1. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**
1. Double-click Define security intelligence location for VDI clients and set the option to Enabled. A field automatically appears, enter *\\<sharedlocation>\wdav-update *(see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be). Click **OK**.
1. Double-click Define security intelligence location for VDI clients and set the option to Enabled. A field automatically appears, enter *\\<sharedlocation\>\wdav-update *(see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be). Click **OK**.
1. Deploy the GPO to the VMs you want to test.
#### Use PowerShell to enable the shared security intelligence feature:

31
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
View File

@ -22,21 +22,18 @@ ms.topic: conceptual
**Applies to:**
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
>[!IMPORTANT]
>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
## Prerequisites and system requirements
Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
## Download installation and onboarding packages
Download the installation and onboarding packages from Windows Defender Security Center:
1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**.
2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**.
3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
@ -76,18 +73,18 @@ To complete this process, you must have admin privileges on the machine.
![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png)
The installation will proceed.
The installation proceeds.
> [!NOTE]
> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but real-time protection will be disabled.
### Fixing disabled Real Time Protection
### Fixing disabled Real-Time Protection
If you did not enable Microsoft's driver during installation, then Defender's application will display a banner prompting you to enable it:
If you did not enable Microsoft's driver during installation, then the application displays a banner prompting you to enable it:
![RTP disabled screenshot](images/MDATP_32_Main_App_Fix.png)
You can also run ```mdatp --health```. It will report if Real Time Protection is enabled but not available:
You can also run ```mdatp --health```. It reports if Real-Time Protection is enabled but not available:
```bash
mavel-mojave:~ testuser$ mdatp --health
@ -98,15 +95,15 @@ realTimeProtectionEnabled : true
```
> [!NOTE]
> You have a 30 minute window to enable Real Time Protection from the warning banner, immediately following installation.
> You have a 30 minute window to enable Real-Time Protection from the warning banner, immediately following installation.
The warning banner containing a **Fix** button, which allows you to quickly enable Real Time Protection, without having to open a command prompt. Select the **Fix** button. It will prompt the **Security & Privacy** system window, where you will have to **Allow** system software from developers "Microsoft Corporation".
The warning banner contains a **Fix** button, which allows you to quickly enable Real-Time Protection, without having to open a command prompt. Select the **Fix** button. It prompts the **Security & Privacy** system window, where you have to **Allow** system software from developers "Microsoft Corporation".
If you don't see a prompt, it means that 30 or more minutes have already passed, and Real Time Protection has still not been enabled:
If you don't see a prompt, it means that 30 or more minutes have already passed, and Real-Time Protection has still not been enabled:
![Security and privacy window after prompt expired screenshot](images/MDATP_33_SecurityPrivacySettings_NoPrompt.png)
In this case, you will need to perform the following steps to enable Real Time Protection instead.
In this case, you need to perform the following steps to enable Real-Time Protection instead.
1. In Terminal, attempt to install the driver. (The operation will fail)
```bash
@ -126,7 +123,7 @@ In this case, you will need to perform the following steps to enable Real Time P
mavel-mojave:~ testuser$ sudo kextutil /Library/Extensions/wdavkext.kext
```
The banner should disappear from the Defender application, and ```mdatp --health``` should now report that Real Time Protection is both enabled and available:
The banner should disappear from the Defender application, and ```mdatp --health``` should now report that Real-Time Protection is both enabled and available:
```bash
mavel-mojave:~ testuser$ mdatp --health
@ -140,7 +137,7 @@ realTimeProtectionEnabled : true
1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac.
The client machine is not associated with orgId. Note that the orgid is blank.
The client machine is not associated with orgId. Note that the *orgId* attribute is blank.
```bash
mavel-mojave:wdavconfig testuser$ mdatp --health orgId
@ -153,7 +150,7 @@ realTimeProtectionEnabled : true
Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
```
3. Verify that the machine is now associated with orgId:
3. Verify that the machine is now associated with your organization and reports a valid *orgId*:
```bash
mavel-mojave:wdavconfig testuser$ mdatp --health orgId

31
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
View File

@ -22,21 +22,18 @@ ms.topic: conceptual
**Applies to:**
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
>[!IMPORTANT]
>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
## Prerequisites and system requirements
Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
## Download installation and onboarding packages
Download the installation and onboarding packages from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**.
2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android** and the deployment method to **Mobile Device Management / Microsoft Intune**.
2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS, or Android** and the deployment method to **Mobile Device Management / Microsoft Intune**.
3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
@ -85,19 +82,19 @@ Download the installation and onboarding packages from Microsoft Defender Securi
You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp).
1. You'll be asked to confirm device management.
1. You are asked to confirm device management.
![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png)
Select **Open System Preferences**, locate **Management Profile** on the list and select **Approve...**. Your Management Profile would be displayed as **Verified**:
Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
![Management profile screenshot](images/MDATP_4_ManagementProfile.png)
2. Select **Continue** and complete the enrollment.
You may now enroll additional devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
3. In Intune, open **Manage** > **Devices** > **All devices**. You'll see your device among those listed:
3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
![Add Devices screenshot](images/MDATP_5_allDevices.png)
@ -105,17 +102,17 @@ You may now enroll additional devices. You can also enroll them later, after you
1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above.
3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections.
4. Select **OK**.
![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png)
5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
6. Repeat steps 1 through 5 for additional profiles.
6. Repeat steps 1 through 5 for more profiles.
7. Create a new profile one more time, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
8. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
Once the Intune changes are propagated to the enrolled devices, you'll see them listed under **Monitor** > **Device status**:
Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png)
@ -138,11 +135,11 @@ Once the Intune changes are propagated to the enrolled devices, you'll see them
![Client apps screenshot](images/MDATP_10_ClientApps.png)
8. Change **Assignment type** to **Required**.
9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
![Intune assignments info screenshot](images/MDATP_11_Assignments.png)
10. After some time the application will be published to all enrolled devices. You'll see it listed on **Monitor** > **Device**, under **Device install status**:
10. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**:
![Intune device status screenshot](images/MDATP_12_DeviceInstall.png)
@ -153,7 +150,7 @@ Once the Intune changes are propagated to the enrolled devices, you'll see them
![System Preferences screenshot](images/MDATP_13_SystemPreferences.png)
![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png)
2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that we added in Intune.:
2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune:
![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png)
3. You should also see the Microsoft Defender icon in the top-right corner:
@ -162,7 +159,7 @@ Once the Intune changes are propagated to the enrolled devices, you'll see them
## Logging installation issues
See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) .
## Uninstallation

7
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
View File

@ -22,10 +22,7 @@ ms.topic: conceptual
**Applies to:**
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
>[!IMPORTANT]
>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
## Prerequisites and system requirements
@ -76,7 +73,7 @@ To set the onboarding information, add a property list file with the name, _jamf
>[!IMPORTANT]
> You must set the Preference Domain as "com.microsoft.wdav.atp"
![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png)
![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png)
### Approved Kernel Extension

58
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md
View File

@ -1,6 +1,6 @@
---
title: Installing Microsoft Defender ATP for Mac with different MDM product
description: Describes how to install Microsoft Defender ATP for Mac, using an unsupported MDM solution.
description: Describes how to install Microsoft Defender ATP for Mac on other management solutions.
keywords: microsoft, defender, atp, mac, installation, deploy, macos, mojave, high sierra, sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -17,65 +17,63 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Deployment with a different MDM system
# Deployment with a different Mobile Device Management (MDM) system
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>[!IMPORTANT]
>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
## Prerequisites and system requirements
Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
## Approach
Your organization may use a Mobile Device Management (MDM) solution we do not officially support.
This does not mean you will be unable to deploy or run Microsoft Defender ATP for Mac.
However, we will not be able to provide support for deploying or managing Defender via these solutions.
> [!CAUTION]
> Currently, Microsoft oficially supports only Intune and JAMF for the deployment and management of Microsoft Defender ATP for Mac. Microsoft makes no warranties, express or implied, with respect to the information provided below.
If your organization uses a Mobile Device Management (MDM) solution that is not officially supported, this does not mean you are unable to deploy or run Microsoft Defender ATP for Mac.
Microsoft Defender ATP for Mac does not depend on any vendor-specific features. It can be used with any MDM solution that supports the following features:
- Deploying a macOS .pkg to managed machines.
- Deploying macOS system configuration profiles to managed machines.
- Running an arbitrary admin-configured tool/script on managed machines.
- Deploy a macOS .pkg to managed machines.
- Deploy macOS system configuration profiles to managed machines.
- Run an arbitrary admin-configured tool/script on managed machines.
The majority of modern MDM solutions include these features, however, they may call them differently.
Most modern MDM solutions include these features, however, they may call them differently.
You can deploy Defender without the last requirement from the list above, however:
You can deploy Defender without the last requirement from the preceding list, however:
- You won't be able to collect status in a centralized way
- If you decide to uninstall Defender, you'll need to logon to the client machine locally as an administrator
- You will not be able to collect status in a centralized way
- If you decide to uninstall Defender, you will need to logon to the client machine locally as an administrator
## Deployment
Most MDM solution use the same model for managing macOS machines, with similar terminology.
Use [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) as a template.
Most MDM solutions use the same model for managing macOS machines, with similar terminology. Use [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) as a template.
### Package
Configure deployment of a [required application package](microsoft-defender-atp-mac-install-with-jamf.md#package),
with the installation package (wdav.pkg) downloaded from [ATP](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages).
with the installation package (wdav.pkg) downloaded from [Microsoft Defender Security Center](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages).
Your MDM solution can allow you uploading of an arbitrary application package, or require you to wrap it into a custom package first.
In order to deploy the package to your enterprise, use the instructions associated with your MDM solution.
### License settings
Setup [a system configuration profile](microsoft-defender-atp-mac-install-with-jamf.md#configuration-profile).
Set up [a system configuration profile](microsoft-defender-atp-mac-install-with-jamf.md#configuration-profile).
Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender ATP for Mac is not part of macOS.
Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can extracted from an onboarding package downloaded from [ATP](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages).
Your system may support an arbitrary property list in XML format. You can just upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft Defender Security Center](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages).
Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
Alternatively, it may require you to convert the property list to a different format first.
Note that your custom profile would have an id, name or domain attribute. You must use exactly "com.microsoft.wdav.atp".
MDM will use it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client machine, and Defender will use this file for loading onboarding info.
Typically, your custom profile has an id, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client machine, and Defender uses this file for loading the onboarding information.
### KEXT
### Kernel extension policy
Setup a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to whitelist kernel extensions provided by Microsoft.
Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to whitelist kernel extensions provided by Microsoft.
## Was it successful?
## Check installation status
Run [mdatp](microsoft-defender-atp-mac-install-with-jamf.md#check-onboarding-status) on a client machine.
Run [mdatp](microsoft-defender-atp-mac-install-with-jamf.md#check-onboarding-status) on a client machine to check the onboarding status.

4
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
View File

@ -20,6 +20,10 @@ ms.topic: conceptual
# Set preferences for Microsoft Defender ATP for Mac
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
>[!IMPORTANT]
>This topic contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise environments. If you are interested in configuring the product on a device from the command-line, please refer to the [Resources](microsoft-defender-atp-mac-resources.md#configuring-from-the-command-line) page.

264
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md Normal file
View File

@ -0,0 +1,264 @@
---
title: Privacy for Microsoft Defender ATP for Mac
ms.reviewer:
description: Describes privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Mac.
keywords: microsoft, defender, atp, mac, privacy, diagnostic
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Privacy for Microsoft Defender ATP for Mac
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when youre using Microsoft Defender ATP for Mac.
This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected.
## Overview of privacy controls in Microsoft Defender ATP for Mac
This section describes the privacy controls for the different types of data collected by Microsoft Defender ATP for Mac.
### Diagnostic data
Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements.
Some diagnostic data is required, while some diagnostic data is optional. We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations.
There are two levels of diagnostic data for Microsoft Defender ATP client software that you can choose from:
* **Required**: The minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and performing as expected on the device its installed on.
* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues.
By default, both optional and required diagnostic data are sent to Microsoft.
### Cloud delivered protection data
Cloud delivered protection is used to provide increased and faster protection with access to the latest protection data in the cloud.
Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.
### Sample data
Sample data is used to improve the protection capabilities of the product, by sending Microsoft suspicious samples so they can be analyzed. Enabling automatic sample submission is optional.
When this feature is enabled and the sample that is collected is likely to contain personal information, the user is prompted for consent.
## Manage privacy controls with policy settings
If you're an IT administrator, you might want to configure these controls at the enterprise level.
The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md).
As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization.
## Diagnostic data events
This section describes what is considered required diagnostic data and what is considered optional diagnostic data, along with a description of the events and fields that are collected.
### Data fields that are common for all events
There is some information about events that is common to all events, regardless of category or data subtype.
The following fields are considered common for all events:
| Field | Description |
| ----------------------- | ----------- |
| platform | The broad classification of the platform on which the app is running. Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized. |
| machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
| sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
| org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. |
| hostname | Local machine name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
| product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. |
| app_version | Version of the Microsoft Defender ATP for Mac application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.|
| sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. |
| supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. |
| release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. |
### Required diagnostic data
**Required diagnostic data** is the minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and perform as expected on the device its installed on.
Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device or software configuration. For example, it can help determine if a Microsoft Defender ATP feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Microsoft Defender ATP features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced.
#### Software setup and inventory data events
**Microsoft Defender ATP installation / uninstallation**
The following fields are collected:
| Field | Description |
| ---------------- | ----------- |
| correlation_id | Unique identifier associated with the installation. |
| version | Version of the package. |
| severity | Severity of the message (for example Informational). |
| code | Code that describes the operation. |
| text | Additional information associated with the product installation. |
**Microsoft Defender ATP configuration**
The following fields are collected:
| Field | Description |
| --------------------------------------------------- | ----------- |
| antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. |
| cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. |
| cloud_service.timeout | Time out when the application communicates with the Microsoft Defender ATP cloud. |
| cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. |
| cloud_service.service_uri | URI used to communicate with the cloud. |
| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). |
| cloud_service.automatic_sample_submission | Whether automatic sample submission is turned on or not. |
| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. |
#### Product and service performance data events
**Kernel extension statistics**
The following fields are collected:
| Field | Description |
| ---------------- | ----------- |
| version | Version of Microsoft Defender ATP for Mac. |
| instance_id | Unique identifier generated on kernel extension startup. |
| trace_level | Trace level of the kernel extension. |
| ipc.connects | Number of connection requests received by the kernel extension. |
| ipc.rejects | Number of connection requests rejected by the kernel extension. |
| ipc.connected | Whether there is any active connection to the kernel extension. |
#### Support data
**Diagnostic logs**
Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs:
- All files under */Library/Logs/Microsoft/mdatp/*
- Subset of files under */Library/Application Support/Microsoft/Defender/* that are created and used by Microsoft Defender ATP for Mac
- Subset of files under */Library/Managed Preferences* that are used by Microsoft Defender ATP for Mac
### Optional diagnostic data
**Optional diagnostic data** is additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and fix issues.
If you choose to send us optional diagnostic data, required diagnostic data is also included.
Examples of optional diagnostic data include data Microsoft collects about product configuration (for example number of exclusions set on the device) and product performance (aggregate measures about the performance of components of the product).
#### Software setup and inventory data events
**Microsoft Defender ATP configuration**
The following fields are collected:
| Field | Description |
| -------------------------------------------------- | ----------- |
| connection_retry_timeout | Connection retry time out when communication with the cloud. |
| file_hash_cache_maximum | Size of the product cache. |
| crash_upload_daily_limit | Limit of crash logs uploaded daily. |
| antivirus_engine.exclusions[].is_directory | Whether the exclusion from scanning is a directory or not. |
| antivirus_engine.exclusions[].path | Path that was excluded from scanning. |
| antivirus_engine.exclusions[].extension | Extension excluded from scanning. |
| antivirus_engine.exclusions[].name | Name of the file excluded from scanning. |
| antivirus_engine.scan_cache_maximum | Size of the product cache. |
| antivirus_engine.maximum_scan_threads | Maximum number of threads used for scanning. |
| antivirus_engine.threat_restoration_exclusion_time | Time out before a file restored from the quarantine can be detected again. |
| filesystem_scanner.full_scan_directory | Full scan directory. |
| filesystem_scanner.quick_scan_directories | List of directories used in quick scan. |
| edr.latency_mode | Latency mode used by the detection and response component. |
| edr.proxy_address | Proxy address used by the detection and response component. |
**Microsoft Auto-Update configuration**
The following fields are collected:
| Field | Description |
| --------------------------- | ----------- |
| how_to_check | Determines how product updates are checked (for example automatic or manual). |
| channel_name | Update channel associated with the device. |
| manifest_server | Server used for downloading updates. |
| update_cache | Location of the cache used to store updates. |
### Product and service usage
#### Diagnostic log upload started report
The following fields are collected:
| Field | Description |
| ---------------- | ----------- |
| sha256 | SHA256 identifier of the support log. |
| size | Size of the support log. |
| original_path | Path to the support log (always under */Library/Application Support/Microsoft/Defender/wdavdiag/*). |
| format | Format of the support log. |
#### Diagnostic log upload completed report
The following fields are collected:
| Field | Description |
| ---------------- | ----------- |
| request_id | Correlation ID for the support log upload request. |
| sha256 | SHA256 identifier of the support log. |
| blob_sas_uri | URI used by the application to upload the support log. |
#### Product and service performance data events
**Unexpected application exit (crash)**
Unexpected application exits and the state of the application when that happens.
**Kernel extension statistics**
The following fields are collected:
| Field | Description |
| ------------------------------ | ----------- |
| pkt_ack_timeout | The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup. |
| pkt_ack_conn_timeout | |
| ipc.ack_pkts | |
| ipc.nack_pkts | |
| ipc.send.ack_no_conn | |
| ipc.send.nack_no_conn | |
| ipc.send.ack_no_qsq | |
| ipc.send.nack_no_qsq | |
| ipc.ack.no_space | |
| ipc.ack.timeout | |
| ipc.ack.ackd_fast | |
| ipc.ack.ackd | |
| ipc.recv.bad_pkt_len | |
| ipc.recv.bad_reply_len | |
| ipc.recv.no_waiter | |
| ipc.recv.copy_failed | |
| ipc.kauth.vnode.mask | |
| ipc.kauth.vnode.read | |
| ipc.kauth.vnode.write | |
| ipc.kauth.vnode.exec | |
| ipc.kauth.vnode.del | |
| ipc.kauth.vnode.read_attr | |
| ipc.kauth.vnode.write_attr | |
| ipc.kauth.vnode.read_ex_attr | |
| ipc.kauth.vnode.write_ex_attr | |
| ipc.kauth.vnode.read_sec | |
| ipc.kauth.vnode.write_sec | |
| ipc.kauth.vnode.take_own | |
| ipc.kauth.vnode.denied | |
| ipc.kauth.file_op.mask | |
| ipc.kauth_file_op.open | |
| ipc.kauth.file_op.close | |
## Resources
- [Privacy at Microsoft](https://privacy.microsoft.com/)

23
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
View File

@ -22,10 +22,7 @@ ms.topic: conceptual
**Applies to:**
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
>[!IMPORTANT]
>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
## Collecting diagnostic information
@ -64,23 +61,13 @@ If you can reproduce a problem, please increase the logging level, run the syste
If an error occurs during installation, the installer will only report a general failure.
The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.
## Upgrade
We distribute our updates via Microsoft Auto Update (MAU). You can check for MAU settings in main application's menu (Help => Check For Product Updates...):
![MAU screenshot](images/MDATP_34_MAU.png)
**Q**: Can MDATP for Mac be updated without MAU?
**A**: In the current release, MDATP for Mac product updates are done via MAU. While advanced manageability experts may be able to set up the product updates without MAU, this scenario is not explicitly supported. We will monitor customer interest in this scenario to evaluate its importance relative to other product advancements.
The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.
## Uninstalling
There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune.
### Within the GUI
### Interactive uninstallation
- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**.
@ -114,7 +101,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
In the Microsoft Defender ATP portal, you'll see two categories of information:
- AV alerts, including:
- Antivirus alerts, including:
- Severity
- Scan type
- Device information (hostname, machine identifier, tenant identifier, app version, and OS type)
@ -133,7 +120,5 @@ In the Microsoft Defender ATP portal, you'll see two categories of information:
## Known issues
- Not fully optimized for performance or disk space yet.
- Full Microsoft Defender ATP integration is not available yet.
- Mac devices that switch networks may appear multiple times in the Microsoft Defender ATP portal.
- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device.

144
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md Normal file
View File

@ -0,0 +1,144 @@
---
title: Deploy updates for Microsoft Defender ATP for Mac
ms.reviewer:
description: Describes how to control updates for Microsoft Defender ATP for Mac in enterprise environments.
keywords: microsoft, defender, atp, mac, updates, deploy
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Deploy updates for Microsoft Defender ATP for Mac
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features.
To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. By default, MAU automatically checks for updates daily, but you can change that to weekly, monthly, or manually.
![MAU screenshot](images/MDATP_34_MAU.png)
If you decide to deploy updates by using your software distribution tools, you should configure MAU to manually check for software updates. You can deploy preferences to configure how and when MAU checks for updates for the Macs in your organization.
## Use msupdate
MAU includes a command line tool, called *msupdate*, that is designed for IT administrators so that they have more precise control over when updates are applied. Instructions for how to use this tool can be found in [Update Office for Mac by using msupdate](https://docs.microsoft.com/en-us/deployoffice/mac/update-office-for-mac-using-msupdate).
In MAU, the application identifier for Microsoft Defender ATP for Mac is *WDAV00*. To download and install the latest updates for Microsoft Defender ATP for Mac, execute the following command from a Terminal window:
```
./msupdate --install --apps wdav00
```
## Set preferences for Microsoft AutoUpdate
This section describes the most common preferences that can be used to configure MAU. These settings can be deployed as a configuration profile through the management console that your enterprise is using. An example of a configuration profile is shown in the following sections.
### Set the channel name
The channel determines the type and frequency of updates that are offered through MAU. Devices in `InsiderFast` (corresponding to the Insider Fast channel) can try out new features before devices in `External` (corresponding to the Insider Slow channel) and `Production`.
The `Production` channel contains the most stable version of the product.
>[!TIP]
>Microsoft recommends keeping some devices in your enterprise either in `InsiderFast` or `External` in order to preview new features and provide early feedback.
|||
|:---|:---|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | ChannelName |
| **Data type** | String |
| **Possible values** | InsiderFast <br/> External <br/> Production |
### Set update check frequency
Change how often MAU searches for updates.
|||
|:---|:---|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | UpdateCheckFrequency |
| **Data type** | Integer |
| **Default value** | 720 (minutes) |
| **Comment** | This value is set in minutes. |
### Change how MAU interacts with updates
Change how MAU searches for updates.
|||
|:---|:---|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | HowToCheck |
| **Data type** | String |
| **Possible values** | Manual <br/> AutomaticCheck <br/> AutomaticDownload |
| **Comment** | Note that AutomaticDownload will do a download and install silently if possible. |
### Disable Insider checkbox
Set to true to make the "Join the Office Insider Program..." checkbox unavailable / greyed out to users.
|||
|:---|:---|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | DisableInsiderCheckbox |
| **Data type** | Boolean |
| **Possible values** | False (default) <br/> True |
### Limit the telemetry that is sent from MAU
Set to false to send minimal heartbeat data, no application usage, and no environment details.
|||
|:---|:---|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | SendAllTelemetryEnabled |
| **Data type** | Boolean |
| **Possible values** | True (default) <br/> False |
## Example configuration profile
The following configuration profile is used to:
- Place the device in the Insider Fast channel
- Automatically download and install updates
- Enable the "Check for updates" button in the user interface
- Allow users on the device to enroll into the Insider channels
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ChannelName</key>
<string>InsiderFast</string>
<key>HowToCheck</key>
<string>AutomaticDownload</string>
<key>EnableCheckForUpdatesButton</key>
<true/>
<key>DisableInsiderCheckbox</key>
<false/>
<key>SendAllTelemetryEnabled</key>
<true/>
</dict>
</plist>
```
To configure MAU, you can deploy this configuration profile from the management tool that your enterprise is using:
- From JAMF, upload this configuration profile and set the Preference Domain to *com.microsoft.autoupdate2*.
- From Intune, upload this configuration profile and set the custom configuration profile name to *com.microsoft.autoupdate2*.
## Resources
- [msupdate reference](https://docs.microsoft.com/en-us/deployoffice/mac/update-office-for-mac-using-msupdate)

94
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
View File

@ -20,62 +20,37 @@ ms.topic: conceptual
# Microsoft Defender Advanced Threat Protection for Mac
>[!IMPORTANT]
>This topic relates to the pre-release version of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic describes how to install, configure, update, and use Microsoft Defender ATP for Mac.
This topic describes how to install and use Microsoft Defender ATP for Mac.
> [!CAUTION]
> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Mac may lead to performance problems and unpredictable side effects.
## Whats new in the public preview
## Whats new in the latest release
Since opening the limited preview, we've been working non-stop to enhance the product, by listening to customer feedback. We've reduced the time it takes for devices to appear in Microsoft Defender Security Center, immediately following deployment. We've improved threat handling, enhanced the user experience, and fixed bugs. Other updates to Microsoft Defender ATP for Mac include:
Since the announcement of the public preview, Microsoft has been working non-stop to enhance the product, by listening to customer feedback. We've added management features and more granular controls for diagnostic data collection, refined the user experience, and fixed bugs.
- Enhanced accessibility
- Improved performance
- improved client product health monitoring
- Localization into 37 languages
- Improved anti-tampering protections
- Feedback and samples can now be submitted via the interface.
- Product health can be queried with JAMF or the command line.
- Admins can set their cloud preference for any location, not just for those in the US.
If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your device and navigating to **Help** > **Send feedback**.
## Installing and configuring
There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
In general you'll need to take the following steps:
- Ensure you have a Microsoft Defender ATP subscription and have access to the Microsoft Defender ATP Portal
- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods:
- Via the command line tool:
- [Manual deployment](microsoft-defender-atp-mac-install-manually.md)
- Via third party tools:
- [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md)
- [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md)
- [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md)
Whichever method you choose, you will first need to visit the onboarding page in the Microsoft Defender ATP portal.
Once installed, you can configure the product in your enterprise using the steps in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md).
## How to install Microsoft Defender ATP for Mac
### Prerequisites
You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine.
- Microsoft Defender ATP subscription
- Access to the Microsoft Defender Security Center portal
- Beginner-level experience in macOS and BASH scripting
- Administrative privileges on the device (in case of manual deployment)
You should also have access to Microsoft Defender Security Center.
### System Requirements
- macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra)
- Disk space during preview: 1GB
Beta versions of macOS are not supported.
### System requirements
> [!CAUTION]
> Running other third-party endpoint protection alongside Microsoft Defender ATP for Mac may lead to performance problems and unpredictable side effects.
> The three most recent released versions of macOS are supported. Beta versions of macOS are not supported.
- Supported macOS versions: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra)
- Disk space: 650 MB
After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them:
The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them:
| Service | Description | URL |
| -------------- | ------------------------------------ | -------------------------------------------------------------------- |
@ -86,18 +61,45 @@ To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/ap
If you prefer the command line, you can also check the connection by running the following command in Terminal:
```bash
testuser$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
The output from this command should look like this:
The output from this command should be similar to the following:
> `OK https://x.cp.wd.microsoft.com/api/report`
>
> `OK https://cdn.x.cp.wd.microsoft.com/ping`
> [!CAUTION]
> We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
### Installation instructions
There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
In general you need to take the following steps:
- Ensure that you have a Microsoft Defender ATP subscription and have access to the Microsoft Defender ATP Portal
- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods:
- Via third-party management tools:
- [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md)
- [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md)
- [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md)
- Via the command-line tool:
- [Manual deployment](microsoft-defender-atp-mac-install-manually.md)
## How to update Microsoft Defender ATP for Mac
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used.
To read more on how to configure MAU in enterprise environments, refer to [Deploy updates for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-updates.md)
## How to configure Microsoft Defender ATP for Mac
Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md).
## Resources
For additional information about logging, uninstalling, or known issues, see our [Resources](microsoft-defender-atp-mac-resources.md) page.
- For more information about logging, uninstalling, or known issues, see the [Resources](microsoft-defender-atp-mac-resources.md) page.
- [Privacy for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-privacy.md)

7
windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
View File

@ -57,8 +57,7 @@ The table in this section lists the main Windows Defender Antivirus event IDs an
<style type='text/css'> table.oridealign td,th { vertical-align: top; text-align: left; } </style>
<table class="oridealign">
<table>
<tr>
<th colspan="2" >Event ID: 1000</th>
</tr>
@ -2716,7 +2715,7 @@ This section provides the following information about Windows Defender Antivirus
Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes.
<table class="oridealign">
<table>
<tr>
<th colspan="2">Error code: 0x80508007</th>
</tr>
@ -2916,7 +2915,7 @@ The following error codes are used during internal testing of Windows Defender A
If you see these errors, you can try to [update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
<table class="oridealign">
<table>
<tr>
<th colspan="3">Internal error codes</th>
</tr>

2
windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
View File

@ -75,5 +75,5 @@ Note that "ResetPolicyId" reverts a supplemental policy to a base policy, and re
### Merging policies
When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID <ID>, then regardless of what the GUIDS and types are for any subsequent policies, the merged policy will be a base policy with ID <ID>.
When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \<ID>, then regardless of what the GUIDS and types are for any subsequent policies, the merged policy will be a base policy with ID \<ID>.

2
windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
View File

@ -65,7 +65,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code
` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User Update`
> [!NOTE]
> <Path to exported .cer certificate> should be the full path to the certificate that you exported in step 3.
> \<Path to exported .cer certificate> should be the full path to the certificate that you exported in step 3.
Also, adding update signers is crucial to being able to modify or disable this policy in the future.
6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:

2
windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
View File

@ -27,7 +27,7 @@ Dynamic Code Security is not enabled by default because existing policies may no
Additionally, a small number of .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, are not currently supported with Dynamic Code Security enabled.
Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy.
To enable Dynamic Code Security, add the following option to the <Rules> section of your policy:
To enable Dynamic Code Security, add the following option to the `<Rules>` section of your policy:
```xml
<Rule>

2
windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
View File

@ -33,7 +33,7 @@ The following sample file uses item-level targeting to ensure that the registry
>**Note:**  The file shown here is for sample use only. It should be customized to meet the requirements of your organizations deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization.
``` syntax
```xml
<?xml version="1.0" encoding="utf-8"?>
<Collection clsid="{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}" name="Server and Domain Isolation Settings">

2
windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
View File

@ -71,4 +71,4 @@ For more information about this design:
- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md).
**Next: **[Domain Isolation Policy Design](domain-isolation-policy-design.md)
**Next:** [Domain Isolation Policy Design](domain-isolation-policy-design.md)

2
windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
View File

@ -57,4 +57,4 @@ By using the Active Directory Users and Computers snap-in, Woodgrove Bank create
Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device.
**Next: **[Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
**Next:** [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)

2
windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
View File

@ -45,4 +45,4 @@ For more info about this design:
- For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md).
**Next: **[Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
**Next:** [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)

2
windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
View File

@ -52,4 +52,4 @@ The information that you gather will help you answer the following questions. Th
This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems. Details can be found in the section [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) later in this guide.
**Next: **[Gathering the Information You Need](gathering-the-information-you-need.md)
**Next:** [Gathering the Information You Need](gathering-the-information-you-need.md)

2
windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
View File

@ -144,4 +144,4 @@ With the other information that you have gathered in this section, this informat
The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan.
**Next: **[Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
**Next:** [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)

2
windows/security/threat-protection/windows-firewall/documenting-the-zones.md
View File

@ -32,4 +32,4 @@ Generally, the task of determining zone membership is not complex, but it can be
| SENSITIVE001 | Yes| Yes| Not required.| Running Windows Server 2012. Ready for inclusion.| $0| Isolated server (in zone by itself)|
| PRINTSVR1 | Yes| Yes| Not required.| Running Windows Server 2008 R2. Ready for inclusion.| $0| Boundary|
**Next: **[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
**Next:** [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)

2
windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
View File

@ -63,4 +63,4 @@ The following groups were created by using the Active Directory Users and Comput
>**Note:**  If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.
**Next: **[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
**Next:** [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)

2
windows/security/threat-protection/windows-firewall/encryption-zone.md
View File

@ -67,4 +67,4 @@ The GPO for devices that are running at least Windows Server 2008 should includ
- If domain member devices must communicate with devices in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs.
**Next: **[Planning Server Isolation Zones](planning-server-isolation-zones.md)
**Next:** [Planning Server Isolation Zones](planning-server-isolation-zones.md)

2
windows/security/threat-protection/windows-firewall/exemption-list.md
View File

@ -57,4 +57,4 @@ To keep the number of exemptions as small as possible, you have several options:
As with defining the boundary zone, create a formal process to approve hosts being added to the exemption list. For a model of processing requests for exemptions, see the decision flowchart in the [Boundary Zone](boundary-zone.md) section.
**Next: **[Isolated Domain](isolated-domain.md)
**Next:** [Isolated Domain](isolated-domain.md)

2
windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
View File

@ -110,5 +110,5 @@ The following groups were created by using the Active Directory Users and Comput
In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there.
**Next: **[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
**Next:** [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)

2
windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
View File

@ -37,4 +37,4 @@ Active Directory is another important item about which you must gather informati
- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Defender Firewall connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other.
**Next: **[Gathering Information about Your Devices](gathering-information-about-your-devices.md)
**Next:** [Gathering Information about Your Devices](gathering-information-about-your-devices.md)

2
windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
View File

@ -118,4 +118,4 @@ Some of the more common applications and protocols are as follows:
- **Other traffic**. Windows Defender Firewall can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured.
**Next: **[Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
**Next:** [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)

2
windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
View File

@ -59,4 +59,4 @@ Whether you use an automatic, manual, or hybrid option to gather the information
This inventory will be critical for planning and implementing your Windows Defender Firewall design.
**Next: **[Gathering Other Relevant Information](gathering-other-relevant-information.md)
**Next:** [Gathering Other Relevant Information](gathering-other-relevant-information.md)

2
windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
View File

@ -82,4 +82,4 @@ Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Ne
Message Analyzer is available on the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=44226).
**Next: **[Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
**Next:** [Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)

2
windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
View File

@ -48,4 +48,4 @@ Copy the firewall rules for the boundary zone from the GPO that contains the fir
Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
**Next: **[Encryption Zone GPOs](encryption-zone-gpos.md)
**Next:** [Encryption Zone GPOs](encryption-zone-gpos.md)

2
windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
View File

@ -50,7 +50,7 @@ Change the action for every inbound firewall rule from **Allow the connection**
Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
**Next: **[Server Isolation GPOs](server-isolation-gpos.md)
**Next:** [Server Isolation GPOs](server-isolation-gpos.md)
 

2
windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
View File

@ -70,4 +70,4 @@ This GPO provides the following rules:
- A firewall exception rule to allow required network traffic for the WGBank dashboard program. This inbound rule allows network traffic for the program Dashboard.exe in the %ProgramFiles%\\WGBank folder. The rule is also filtered to only allow traffic on port 1551. This rule is applied only to the domain profile.
**Next: **[Isolated Domain GPOs](isolated-domain-gpos.md)
**Next:** [Isolated Domain GPOs](isolated-domain-gpos.md)

2
windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
View File

@ -88,4 +88,4 @@ This GPO provides the following rules:
- Authentication mode is set to **Do not authenticate**.
**Next: **[GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)
**Next:** [GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)

2
windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
View File

@ -31,5 +31,5 @@ Because so many of the settings and rules for this GPO are common to those in th
>**Important:**  Windows Vista and Windows Server 2008 support only one network location profile at a time. The profile for the least secure network type is applied to the device. If you attach a network adapter to a device that is not physically connected to a network, the public network location type is associated with the network adapter and applied to the device.
**Next: **[Boundary Zone GPOs](boundary-zone-gpos.md)
**Next:** [Boundary Zone GPOs](boundary-zone-gpos.md)

2
windows/security/threat-protection/windows-firewall/isolated-domain.md
View File

@ -64,4 +64,4 @@ GPOs for devices running at least Windows Vista and Windows Server 2008 should
>**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
**Next: **[Boundary Zone](boundary-zone.md)
**Next:** [Boundary Zone](boundary-zone.md)

2
windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
View File

@ -38,4 +38,4 @@ Use the following table to determine which Windows Firewall with Advanced Securi
To examine details for a specific design, click the design title at the top of the column in the preceding table.
**Next: **[Basic Firewall Policy Design](basic-firewall-policy-design.md)
**Next:** [Basic Firewall Policy Design](basic-firewall-policy-design.md)

2
windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
View File

@ -59,4 +59,4 @@ When the clients and servers have the certificates available, you can configure
Starting in Windows Server 2012,you can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, as well as name restrictions and certificate thumbprints. This is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell.
**Next: **[Documenting the Zones](documenting-the-zones.md)
**Next:** [Documenting the Zones](documenting-the-zones.md)

2
windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
View File

@ -43,5 +43,5 @@ Multiple GPOs might be delivered to each group. Which one actually becomes appli
If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the device. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it is more specific.
**Next: **[Planning Network Access Groups](planning-network-access-groups.md)
**Next:** [Planning Network Access Groups](planning-network-access-groups.md)

2
windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
View File

@ -38,4 +38,4 @@ For the Woodgrove Bank scenario, access to the devices running SQL Server that s
>**Note:**  Membership in a NAG does not control the level of IPsec traffic protection. The IKE negotiation is only aware of whether the device or user passed or failed the Kerberos V5 authentication process. The connection security rules in the applied GPO control the security methods that are used for protecting traffic and are independent of the identity being authenticated by Kerberos V5.
**Next: **[Planning the GPOs](planning-the-gpos.md)
**Next:** [Planning the GPOs](planning-the-gpos.md)

2
windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
View File

@ -79,4 +79,4 @@ GPOs for devices running at least Windows Server 2008 should include the follow
>**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
**Next: **[Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
**Next:** [Planning Certificate-based Authentication](planning-certificate-based-authentication.md)

2
windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
View File

@ -55,4 +55,4 @@ The following is a list of the firewall settings that you might consider for inc
- **Outbound rules**. Only create outbound rules to block network traffic that must be prevented in all cases. If your organization prohibits the use of certain network programs, you can support that policy by blocking the known network traffic used by the program. Be sure to test the restrictions before you deploy them to avoid interfering with traffic for needed and authorized programs.
**Next: **[Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
**Next:** [Planning Domain Isolation Zones](planning-domain-isolation-zones.md)

2
windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
View File

@ -95,4 +95,4 @@ After you have selected a design and assigned your devices to zones, you can beg
When you are ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
**Next: **[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
**Next:** [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)

2
windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
View File

@ -47,4 +47,4 @@ The following component is recommended for this deployment goal:
Other means of deploying a firewall policy are available, such as creating scripts that use the netsh command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to very large organizations.
**Next: **[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
**Next:** [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)

2
windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
View File

@ -45,4 +45,4 @@ The following components are required for this deployment goal:
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
**Next: **[Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
**Next:** [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)

2
windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
View File

@ -49,4 +49,4 @@ The following components are required for this deployment goal:
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
**Next: **[Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
**Next:** [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)

2
windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
View File

@ -59,4 +59,4 @@ The following components are required for this deployment goal:
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
**Next: **[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
**Next:** [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)

2
windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
View File

@ -36,4 +36,4 @@ This GPO is identical to the GPO\_DOMISO\_Encryption GPO with the following chan
>**Important:**  Earlier versions of Windows support only device-based authentication. If you specify that user authentication is mandatory, only users on devices that are running at least Windows Vista or Windows Server 2008 can connect.
**Next: **[Planning GPO Deployment](planning-gpo-deployment.md)
**Next:** [Planning GPO Deployment](planning-gpo-deployment.md)

2
windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
View File

@ -82,4 +82,4 @@ If Woodgrove Bank wants to implement server isolation without domain isolation,
You do not have to include the encryption-capable rules on all devices. Instead, you can create GPOs that are applied only to members of the NAG, in addition to the standard domain isolation GPO, that contain connection security rules to support encryption.
**Next: **[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
**Next:** [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)

2
windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
View File

@ -59,4 +59,4 @@ For more info about this design:
- For a list of tasks that you can use to deploy your server isolation policy design, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
**Next: **[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
**Next:** [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)