deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-10 19:47:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into v-smandalika-bl-prep-policies-4457208

Browse Source
This commit is contained in:
Siddarth Mandalika 2020-10-20 18:35:40 +05:30
commit 2041765be2
163 changed files with 2576 additions and 911 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -79,6 +79,11 @@
"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-privacy",
"redirect_document_id": true
},
{
"source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md",

92
windows/application-management/apps-in-windows-10.md
View File

@ -39,53 +39,53 @@ You can list all provisioned Windows apps with this PowerShell command:
Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
```
Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, and 1909.
Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, 1909, and 2004.
| Package name | App name | 1803 | 1809 | 1903 | 1909 | Uninstall through UI? |
|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:|
| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | Yes |
| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes |
| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App |
| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | No |
| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes |
| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes |
| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | No |
| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes |
| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | |
| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | No |
| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No |
| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.VP9VideoExtensions | | | x | x | x | No |
| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | No |
| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No |
| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No |
| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | No |
| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No |
| Package name | App name | 1803 | 1809 | 1903 | 1909 | 2004 | Uninstall through UI? |
|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:----:|:---------------------:|
| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | | Yes |
| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | x | Yes |
| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | x | Via Settings App |
| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No |
| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | x | Yes |
| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | x | Yes |
| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | x | No |
| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | x | Yes |
| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | x | |
| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | x | No |
| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | x | No |
| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.VP9VideoExtensions | | | x | x | x | x | No |
| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No |
| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | x | No |
| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | x | No |
| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | x | No |
| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | x | No |
>[!NOTE]
>The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it.

54
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -22,13 +22,10 @@ ms.topic: article
- Windows 10
From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup).
From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
![Remote Desktop Connection client](images/rdp.png)
> [!TIP]
> Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session.](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics)
## Set up
- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported.
@ -37,36 +34,39 @@ From its release, Windows 10 has supported remote connections to PCs joined to A
Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC.
- On the PC you want to connect to:
1. Open system properties for the remote PC.
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
![Allow remote connections to this computer](images/allow-rdp.png)
![Allow remote connections to this computer](images/allow-rdp.png)
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**.
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Click **Select Users -> Add** and enter the name of the user or group.
> [!NOTE]
> You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once, and then running the following PowerShell cmdlet:
> ```PowerShell
> net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"
> ```
> where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
>
> This command only works for AADJ device users already added to any of the local groups (administrators).
> Otherwise this command throws the below error. For example:
> - for cloud only user: "There is no such global user or group : *name*"
> - for synced user: "There is no such global user or group : *name*" </br>
>
> In Windows 10, version 1709, the user does not have to sign in to the remote device first.
>
> In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
> [!NOTE]
> You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once, and then running the following PowerShell cmdlet:
> ```powershell
> net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"
> ```
> where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
>
> This command only works for AADJ device users already added to any of the local groups (administrators).
> Otherwise this command throws the below error. For example:
> - for cloud only user: "There is no such global user or group : *name*"
> - for synced user: "There is no such global user or group : *name*" </br>
> [!NOTE]
> In Windows 10, version 1709, the user does not have to sign in to the remote device first.
>
> In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
4. Click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
> [!TIP]
> When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant.
> [!TIP]
> When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant.
> [!Note]
> If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e).
> [!Note]
> If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e).
## Supported configurations

2
windows/client-management/mdm/TOC.md
View File

@ -267,6 +267,7 @@
#### [LanmanWorkstation](policy-csp-lanmanworkstation.md)
#### [Licensing](policy-csp-licensing.md)
#### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
#### [LocalUsersAndGroups](policy-csp-localusersandgroups.md)
#### [LockDown](policy-csp-lockdown.md)
#### [Maps](policy-csp-maps.md)
#### [Messaging](policy-csp-messaging.md)
@ -307,6 +308,7 @@
#### [WindowsInkWorkspace](policy-csp-windowsinkworkspace.md)
#### [WindowsLogon](policy-csp-windowslogon.md)
#### [WindowsPowerShell](policy-csp-windowspowershell.md)
#### [WindowsSandbox](policy-csp-windowssandbox.md)
#### [WirelessDisplay](policy-csp-wirelessdisplay.md)
### [PolicyManager CSP](policymanager-csp.md)
### [Provisioning CSP](provisioning-csp.md)

5
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -165,7 +165,10 @@ The following image illustrates how MDM applications will show up in the Azure a
### Add cloud-based MDM to the app gallery
You should work with the Azure AD engineering team if your MDM application is cloud-based. The following table shows the required information to create an entry in the Azure AD app gallery.
> [!NOTE]
> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application
The following table shows the required information to create an entry in the Azure AD app gallery.
<table>
<colgroup>

10
windows/client-management/mdm/firewall-csp.md
View File

@ -248,10 +248,10 @@ Sample syncxml to provision the firewall settings to evaluate
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="localaddressranges"></a>**FirewallRules/*FirewallRuleName*/LocalAddressRanges**
<p style="margin-left: 20px">Comma separated list of local addresses covered by the rule. The default value is &quot;<em>&quot;. Valid tokens include:</p>
<p style="margin-left: 20px">Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:</p>
<ul>
<li>&quot;</em>&quot; indicates any local address. If present, this must be the only token included.</li>
<li>A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.</li>
<li>"*" indicates any local address. If present, this must be the only token included.</li>
<li>A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.</li>
<li>A valid IPv6 address.</li>
<li>An IPv4 address range in the format of &quot;start address - end address&quot; with no spaces included.</li>
<li>An IPv6 address range in the format of &quot;start address - end address&quot; with no spaces included.</li>
@ -260,9 +260,9 @@ Sample syncxml to provision the firewall settings to evaluate
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="remoteaddressranges"></a>**FirewallRules/*FirewallRuleName*/RemoteAddressRanges**
<p style="margin-left: 20px">List of comma separated tokens specifying the remote addresses covered by the rule. The default value is &quot;<em>&quot;. Valid tokens include:</p>
<p style="margin-left: 20px">List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:</p>
<ul>
<li>&quot;</em>&quot; indicates any remote address. If present, this must be the only token included.</li>
<li>"*" indicates any remote address. If present, this must be the only token included.</li>
<li>&quot;Defaultgateway&quot;</li>
<li>&quot;DHCP&quot;</li>
<li>&quot;DNS&quot;</li>

23
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -5575,6 +5575,29 @@ The following diagram shows the Policy configuration service provider in tree fo
</dd>
</dl>
### WindowsSandbox policies
<dl>
<dd>
<a href="./policy-csp-windowssandbox.md#windowssandbox-allowaudioinput" id="windowssandbox-allowaudioinput">WindowsSandbox/AllowAudioInput</a>
</dd>
<dd>
<a href="./policy-csp-windowssandbox.md#windowssandbox-allowclipboardredirection" id="windowssandbox-allowclipboardredirection">WindowsSandbox/AllowClipboardRedirection</a>
</dd>
<dd>
<a href="./policy-csp-windowssandbox.md#windowssandbox-allownetworking" id="windowssandbox-allownetworking">WindowsSandbox/AllowNetworking</a>
</dd>
<dd>
<a href="./policy-csp-windowssandbox.md#windowssandbox-allowprinterredirection" id="windowssandbox-allowprinterredirection">WindowsSandbox/AllowPrinterRedirection</a>
</dd>
<dd>
<a href="./policy-csp-windowssandbox.md#windowssandbox-allowvgpu" id="windowssandbox-allowvgpu">WindowsSandbox/AllowVGPU</a>
</dd>
<dd>
<a href="./policy-csp-windowssandbox.md#windowssandbox-allowvideoinput" id="windowssandbox-allowvideoinput">WindowsSandbox/AllowVideoInput</a>
</dd>
</dl>
### WirelessDisplay policies
<dl>

232
windows/client-management/mdm/policy-csp-localusersandgroups.md Normal file
View File

@ -0,0 +1,232 @@
---
title: Policy CSP - LocalUsersAndGroups
description: Policy CSP - LocalUsersAndGroups
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 10/14/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - LocalUsersAndGroups
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## LocalUsersAndGroups policies
<dl>
<dd>
<a href="#localusersandgroups-configure">LocalUsersAndGroups/Configure</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="localusersandgroups-configure"></a>**LocalUsersAndGroups/Configure**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10, version 2010. This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device.
> [!NOTE]
> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or AAD groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.
>
> Starting from Windows 10, version 2010, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results.
Here's an example of the policy definition XML for group configuration:
```xml
<GroupConfiguration>
<accessgroup desc = "">
<group action = ""/>
<add member = ""/>
<remove member = ""/>
</accessgroup>
</GroupConfiguration>
```
where:
- `<accessgroup desc>`: Specifies the name or SID of the local group to configure. If you specify a SID, the [LookupAccountSid](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API is used to translate the SID to a valid group name. If you specify a name, the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API is used to lookup the group and validate the name. If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. If there are multiple errors, the last error is returned at the end of the policy processing.
- `<group action>`: Specifies the action to take on the local group, which can be Update and Restrict, represented by U and R:
- Update. This action must be used to keep the current group membership intact and add or remove members of the specific group.
- Restrict. This action must be used to replace current membership with the newly specified groups. This action provides the same functionality as the [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting.
- `<add member>`: Specifies the SID or name of the member to configure.
- `<remove member>`: Specifies the SID or name of the member to remove from the specified group.
> [!NOTE]
> When specifying member names of domain accounts, use fully qualified account names where possible (for example, domain_name\user_name) instead of isolated names (for example, group_name). This way, you can avoid getting ambiguous results when users or groups with the same name exist in multiple domains and locally. See [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information.
See [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles.
> [!IMPORTANT]
> - `<add member>` and `<remove member>` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](https://docs.microsoft.com/graph/api/resources/group?view=graph-rest-1.0#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute.
> - When specifying a SID in the `<add member>` or `<remove member>`, member SIDs are added without attempting to resolve them. Therefore, be very careful when specifying a SID to ensure it is correct.
> - `<remove member>` is not valid for the R (Restrict) action and will be ignored if present.
> - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
**Examples**
Example 1: Update action for adding and removing group members.
The following example shows how you can update a local group (**Backup Operators**)—add a domain group as a member using its name (**Contoso\ITAdmins**), add the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids), add a AAD group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**).
```xml
<GroupConfiguration>
<accessgroup desc = "Backup Operators">
<group action = "U" />
<add member = "Contoso\ITAdmins"/>
<add member = "S-1-5-32-544"/>
<add member = "S-1-12-1-111111111-22222222222-3333333333-4444444444"/>
<remove member = "Guest"/>
</accessgroup>
</GroupConfiguration>
```
Example 2: Restrict action for replacing the group membership.
The following example shows how you can restrict a local group (**Backup Operators**)—replace its membership with the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids) and add a local account (**Guest**).
```xml
<GroupConfiguration>
<accessgroup desc = "Backup Operators">
<group action = "R" />
<add member = "S-1-5-32-544"/>
<add member = "Guest"/>
</accessgroup>
</GroupConfiguration>
```
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
## FAQs
This section provides answers to some common questions you might have about the LocalUsersAndGroups policy CSP.
### What happens if I accidentally remove the built-in Administrator SID from the Administrators group?
Removing the built-in Administrator account from the built-in Administrators group is blocked at SAM/OS level for security reasons. Attempting to do so will result in failure with the following error:
| Error Code | Symbolic Name | Error Description | Header |
|----------|----------|----------|----------|
| 0x55b (Hex) <br> 1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h |
When configuring the built-in Administrators group with the R (Restrict) action, specify the built-in Administrator account SID/Name in `<add member>` to avoid this error.
### Can I add a member that already exists?
Yes, you can add a member that is already a member of a group. This will result in no changes to the group and no error.
### Can I remove a member if it isn't a member of the group?
Yes, you can remove a member even if it isn't a member of the group. This will result in no changes to the group and no error.
### How can I add a domain group as a member to a local group?
To add a domain group as a member to a local group, specify the domain group in `<add member>` of the local group. Use fully qualified account names (for example, domain_name\group_name) instead of isolated names (for example, group_name) for the best results. See [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information.
### Can I apply more than one LocalUserAndGroups policy/XML to the same device?
No, this is not allowed. Attempting to do so will result in a conflict in Intune.
### What happens if I specify a group name that doesn't exist?
Invalid group names or SIDs will be skipped. Valid parts of the policy will apply, and error will be returned at the end of the processing. This behavior aligns with the on-prem AD GPP (Group Policy Preferences) LocalUsersAndGroups policy. Similarly, invalid member names will be skipped, and error will be returned at the end to notify that not all settings were applied successfully.
### What happens if I specify R and U in the same XML?
If you specify both R and U in the same XML, the R (Restrict) action takes precedence over U (Update). Therefore, if a group appears twice in the XML, once with U and again with R, the R action wins.
### How do I check the result of a policy that is applied on the client device?
After a policy is applied on the client device, you can investigate the event log to review the result:
1. Open Event Viewer (**eventvwr.exe**).
2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-
Diagnostics-Provider** > **Admin**.
3. Search for the `LocalUsersAndGroups` string to review the relevant details.
### How can I troubleshoot Name/SID lookup APIs?
To troubleshoot Name/SID lookup APIs:
1. Enable **lsp.log** on the client device by running the following commands:
```cmd
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x800 -Type dword -Force
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x1 -Type dword -Force
```
The **lsp.log** file (**C:\windows\debug\lsp.log**) will be displayed. This log file tracks the SID-Name resolution.
2. Turn the logging off by running the following command:
```cmd
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force
```
Footnotes:
- 9 - Available in Windows 10, version 2010.
<!--/Policies-->

3
windows/client-management/mdm/policy-csp-restrictedgroups.md
View File

@ -14,6 +14,9 @@ manager: dansimp
# Policy CSP - RestrictedGroups
> [!IMPORTANT]
> Starting from Windows 10, version 2010, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy to configure members (users or AAD groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results.
<hr/>

25
windows/client-management/mdm/policy-csp-system.md
View File

@ -1,13 +1,13 @@
---
title: Policy CSP - System
description: Learn policy settings that determines whether users can access the Insider build controls in the advanced options for Windows Update.
description: Learn policy settings that determine whether users can access the Insider build controls in the advanced options for Windows Update.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 08/12/2020
ms.date: 10/14/2020
ms.reviewer:
manager: dansimp
---
@ -212,14 +212,13 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
This policy setting controls whether Microsoft is a processor or controller for Windows diagnostic data collected from devices.
This policy setting opts the device into the Windows enterprise data pipeline.
If you enable this policy and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data.
If you enable this setting, data collected from the device will be opted into the Windows enterprise data pipeline.
If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device.
If you disable or don't configure this setting, all data from the device will be collected and processed in accordance with our policies for the Windows standard data pipeline.
>[!Note]
> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) policy setting to limit the diagnostic data that can be collected from the device.
Configuring this setting does not change the telemetry collection level or the ability of the user to change the level. This setting only applies to the Windows operating system and apps included with Windows, not third-party apps or services running on Windows 10.
<!--/Description-->
<!--ADMXMapped-->
@ -234,8 +233,8 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) - Do not use the Windows Commercial Data Pipeline
- 1 - Use the Windows Commercial Data Pipeline
- 0 (default) - Disabled.
- 1 - Enabled.
<!--/SupportedValues-->
<!--Example-->
@ -245,7 +244,9 @@ The following list shows the supported values:
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="system-allowdevicenameindiagnosticdata"></a>**System/AllowDeviceNameInDiagnosticData**
@ -488,7 +489,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts.
Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally installed fonts.
This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled).
@ -509,7 +510,7 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 - false - No traffic to fs.microsoft.com and only locally-installed fonts are available.
- 0 - false - No traffic to fs.microsoft.com and only locally installed fonts are available.
- 1 - true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them.
<!--/SupportedValues-->
@ -1605,7 +1606,7 @@ The following list shows the supported values:
This policy setting, in combination with the System/AllowTelemetry
policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services.
To enable this behavior you must complete two steps:
To enable this behavior, you must complete two steps:
<ul>
<li>Enable this policy setting</li>
<li>Set Allow Telemetry to level 2 (Enhanced)</li>

561
windows/client-management/mdm/policy-csp-windowssandbox.md Normal file
View File

@ -0,0 +1,561 @@
---
title: Policy CSP - WindowsSandbox
description: Policy CSP - WindowsSandbox
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 10/14/2020
---
# Policy CSP - WindowsSandbox
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## WindowsSandbox policies
<dl>
<dd>
<a href="#windowssandbox-allowaudioinput">WindowsSandbox/AllowAudioInput</a>
</dd>
<dd>
<a href="#windowssandbox-allowclipboardredirection">WindowsSandbox/AllowClipboardRedirection</a>
</dd>
<dd>
<a href="#windowssandbox-allownetworking">WindowsSandbox/AllowNetworking</a>
</dd>
<dd>
<a href="#windowssandbox-allowprinterredirection">WindowsSandbox/AllowPrinterRedirection</a>
</dd>
<dd>
<a href="#windowssandbox-allowvgpu">WindowsSandbox/AllowVGPU</a>
</dd>
<dd>
<a href="#windowssandbox-allowvideoinput">WindowsSandbox/AllowVideoInput</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="windowssandbox-allowaudioinput"></a>**WindowsSandbox/AllowAudioInput**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows the IT admin to enable or disable audio input to the Sandbox.
> [!NOTE]
> There may be security implications of exposing host audio input to the container.
If this policy is not configured, end-users get the default behavior (audio input enabled).
If audio input is disabled, a user will not be able to enable audio input from their own configuration file.
If audio input is enabled, a user will be able to disable audio input from their own configuration file to make the device more secure.
> [!NOTE]
> You must restart Windows Sandbox for any changes to this policy setting to take effect.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English Name: *Allow audio input in Windows Sandbox*
- GP name: *AllowAudioInput*
- GP path: *Windows Components/Windows Sandbox*
- GP ADMX file name: *WindowsSandbox.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported values:
- 0 - Disabled
- 1 (default) - Enabled
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="windowssandbox-allowclipboardredirection"></a>**WindowsSandbox/AllowClipboardRedirection**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows the IT admin to enable or disable sharing of the host clipboard with the sandbox.
If this policy is not configured, end-users get the default behavior (clipboard redirection enabled.
If clipboard sharing is disabled, a user will not be able to enable clipboard sharing from their own configuration file.
If clipboard sharing is enabled, a user will be able to disable clipboard sharing from their own configuration file to make the device more secure.
> [!NOTE]
> You must restart Windows Sandbox for any changes to this policy setting to take effect.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English Name: *Allow clipboard sharing with Windows Sandbox*
- GP name: *AllowClipboardRedirection*
- GP path: *Windows Components/Windows Sandbox*
- GP ADMX file name: *WindowsSandbox.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported values:
- 0 - Disabled
- 1 (default) - Enabled
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="windowssandbox-allownetworking"></a>**WindowsSandbox/AllowNetworking**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows the IT admin to enable or disable networking in Windows Sandbox. Disabling network access can decrease the attack surface exposed by the Sandbox. Enabling networking can expose untrusted applications to the internal network.
If this policy is not configured, end-users get the default behavior (networking enabled).
If networking is disabled, a user will not be able to enable networking from their own configuration file.
If networking is enabled, a user will be able to disable networking from their own configuration file to make the device more secure.
> [!NOTE]
> You must restart Windows Sandbox for any changes to this policy setting to take effect.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English Name: *Allow networking in Windows Sandbox*
- GP name: *AllowNetworking*
- GP path: *Windows Components/Windows Sandbox*
- GP ADMX file name: *WindowsSandbox.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported values:
- 0 - Disabled
- 1 (default) - Enabled
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="windowssandbox-allowprinterredirection"></a>**WindowsSandbox/AllowPrinterRedirection**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows the IT admin to enable or disable printer sharing from the host into the Sandbox.
If this policy is not configured, end-users get the default behavior (printer sharing disabled).
If printer sharing is disabled, a user will not be able to enable printer sharing from their own configuration file.
If printer sharing is enabled, a user will be able to disable printer sharing from their own configuration file to make the device more secure.
> [!NOTE]
> You must restart Windows Sandbox for any changes to this policy setting to take effect.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English Name: *Allow printer sharing with Windows Sandbox*
- GP name: *AllowPrinterRedirection*
- GP path: *Windows Components/Windows Sandbox*
- GP ADMX file name: *WindowsSandbox.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported values:
- 0 - Disabled
- 1 (default) - Enabled
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="windowssandbox-allowvgpu"></a>**WindowsSandbox/AllowVGPU**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows the IT admin to enable or disable virtualized GPU for Windows Sandbox.
> [!NOTE]
> Enabling virtualized GPU can potentially increase the attack surface of Windows Sandbox.
If this policy is not configured, end-users get the default behavior (vGPU is disabled).
If vGPU is disabled, a user will not be able to enable vGPU support from their own configuration file.
If vGPU is enabled, a user will be able to disable vGPU support from their own configuration file to make the device more secure.
> [!NOTE]
> You must restart Windows Sandbox for any changes to this policy setting to take effect.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English Name: *Allow vGPU sharing for Windows Sandbox*
- GP name: *AllowVGPU*
- GP path: *Windows Components/Windows Sandbox*
- GP ADMX file name: *WindowsSandbox.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported values:
- 0 (default) - Disabled
- 1 - Enabled
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="windowssandbox-allowvideoinput"></a>**WindowsSandbox/AllowVideoInput**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows the IT admin to enable or disable video input to the Sandbox.
> [!NOTE]
> There may be security implications of exposing host video input to the container.
If this policy is not configured, users get the default behavior (video input disabled).
If video input is disabled, users will not be able to enable video input from their own configuration file.
If video input is enabled, users will be able to disable video input from their own configuration file to make the device more secure.
> [!NOTE]
> You must restart Windows Sandbox for any changes to this policy setting to take effect.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English Name: *Allow video input in Windows Sandbox*
- GP name: *AllowVideoInput*
- GP path: *Windows Components/Windows Sandbox*
- GP ADMX file name: *WindowsSandbox.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported values:
- 0 (default) - Disabled
- 1 - Enabled
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
- 9 - Available in Windows 10, version 2010.
<!--/Policies-->

4
windows/client-management/mdm/surfacehub-csp.md
View File

@ -161,7 +161,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
<thead>
<tr class="header">
<th>ErrorContext value</th>
<th>Stage where error occured</th>
<th>Stage where error occurred</th>
<th>Description and suggestions</th>
</tr>
</thead>
@ -239,7 +239,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
<p style="margin-left: 20px">The data type is boolean. Supported operation is Get and Replace.
<a href="" id="inboxapps-welcome-currentbackgroundpath"></a>**InBoxApps/Welcome/CurrentBackgroundPath**
<p style="margin-left: 20px">Background image for the welcome screen. To set this, specify a https URL to a PNG file (only PNGs are supported for security reasons).
<p style="margin-left: 20px">Background image for the welcome screen. To set this, specify a https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
<p style="margin-left: 20px">The data type is string. Supported operation is Get and Replace.

4
windows/deployment/update/delivery-optimization-proxy.md
View File

@ -54,7 +54,7 @@ With NetworkService (if unable to obtain a user token from a signed-in user):
|---------|---------|
|Internet Explorer proxy, current user | No |
|Internet Explorer proxy, device-wide | Yes |
|netsh proxy | No |
|netsh proxy | Yes |
|Both Internet Explorer proxy (current user) *and* netsh proxy | Yes, netsh proxy is used |
|Both Internet Explorer proxy (device-wide) *and* netsh proxy | Yes, netsh proxy is used |
@ -76,4 +76,4 @@ However, you can set the Connected Cache server to use an unauthenticated proxy.
- [How can I configure Proxy AutoConfigURL Setting using Group Policy Preference (GPP)?](https://docs.microsoft.com/archive/blogs/askie/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp)
- [How to use GPP Registry to uncheck automatically detect settings? ](https://docs.microsoft.com/archive/blogs/askie/how-to-use-gpp-registry-to-uncheck-automatically-detect-settings)
- [How to configure a proxy server URL and Port using GPP Registry?](https://docs.microsoft.com/archive/blogs/askie/how-to-configure-a-proxy-server-url-and-port-using-gpp-registry)
- [How to configure a proxy server URL and Port using GPP Registry?](https://docs.microsoft.com/archive/blogs/askie/how-to-configure-a-proxy-server-url-and-port-using-gpp-registry)

148
windows/deployment/update/media-dynamic-update.md
View File

@ -18,7 +18,7 @@ ms.topic: article
**Applies to**: Windows 10
This topic explains how to acquire and apply Dynamic Update packages to existing Windows 10 images <em>prior to deployment</em> and includes Windows PowerShell scripts you can use to automate this process.
This topic explains how to acquire and apply Dynamic Update packages to existing Windows 10 images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
Volume-licensed media is available for each release of Windows 10 in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows 10 devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process.
@ -42,8 +42,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
![Table with columns labeled Title, Products, Classification, Last Updated, Version, and Size and four rows listing various dynamic updates and associated KB articles](images/update-catalog.png)
The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in <em>bold</em> the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in **bold** the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
|To find this Dynamic Update packages, search for or check the results here--> |Title |Product |Description (select the **Title** link to see **Details**) |
|---------|---------|---------|---------|
@ -94,8 +93,7 @@ Optional Components, along with the .NET feature, can be installed offline, howe
## Windows PowerShell scripts to apply Dynamic Updates to an existing image
These examples are for illustration only, and therefore lack error handling. The script assumes that the following packages is stored locally in this folder structure:
These examples are for illustration only, and therefore lack error handling. The script assumes that the following packages are stored locally in this folder structure:
|Folder |Description |
|---------|---------|
@ -108,49 +106,51 @@ These examples are for illustration only, and therefore lack error handling. The
The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only.
```powershell
function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
#Requires -RunAsAdministrator
Write-Host "$(Get-TS): Starting media refresh"
function Get-TS { return "{0:HH:mm:ss}" -f [DateTime]::Now }
# Declare media for FOD and LPs
$FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso"
$LP_ISO_PATH = "C:\mediaRefresh\packages\CLIENTLANGPACKDVD_OEM_MULTI.iso"
Write-Output "$(Get-TS): Starting media refresh"
# Declare language for showcasing adding optional localized components
$LANG = "ja-jp"
$LANG = "ja-jp"
$LANG_FONT_CAPABILITY = "jpan"
# Declare media for FOD and LPs
$FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso"
$LP_ISO_PATH = "C:\mediaRefresh\packages\CLIENTLANGPACKDVD_OEM_MULTI.iso"
# Declare Dynamic Update packages
$LCU_PATH = "C:\mediaRefresh\packages\LCU.msu"
$SSU_PATH = "C:\mediaRefresh\packages\SSU_DU.msu"
$SETUP_DU_PATH = "C:\mediaRefresh\packages\Setup_DU.cab"
$LCU_PATH = "C:\mediaRefresh\packages\LCU.msu"
$SSU_PATH = "C:\mediaRefresh\packages\SSU_DU.msu"
$SETUP_DU_PATH = "C:\mediaRefresh\packages\Setup_DU.cab"
$SAFE_OS_DU_PATH = "C:\mediaRefresh\packages\SafeOS_DU.cab"
$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu"
$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu"
# Declare folders for mounted images and temp files
$WORKING_PATH = "C:\mediaRefresh\temp"
$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia"
$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
$MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount"
$WINRE_MOUNT = $WORKING_PATH + "\WinREMount"
$WINPE_MOUNT = $WORKING_PATH + "\WinPEMount"
$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia"
$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
$WORKING_PATH = "C:\mediaRefresh\temp"
$MAIN_OS_MOUNT = "C:\mediaRefresh\temp\MainOSMount"
$WINRE_MOUNT = "C:\mediaRefresh\temp\WinREMount"
$WINPE_MOUNT = "C:\mediaRefresh\temp\WinPEMount"
# Mount the language pack ISO
Write-Host "$(Get-TS): Mounting LP ISO"
Write-Output "$(Get-TS): Mounting LP ISO"
$LP_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
# Declare language related cabs
$WINPE_OC_PATH = Join-Path $LP_ISO_DRIVE_LETTER":" -ChildPath "Windows Preinstallation Environment" | Join-Path -ChildPath "x64" | Join-Path -ChildPath "WinPE_OCs"
$WINPE_OC_LANG_PATH = Join-Path $WINPE_OC_PATH $LANG
$WINPE_OC_LANG_CABS = Get-ChildItem $WINPE_OC_LANG_PATH -name
$WINPE_OC_LP_PATH = Join-Path $WINPE_OC_LANG_PATH "lp.cab"
$WINPE_FONT_SUPPORT_PATH = Join-Path $WINPE_OC_PATH "WinPE-FontSupport-$LANG.cab"
$WINPE_SPEECH_TTS_PATH = Join-Path $WINPE_OC_PATH "WinPE-Speech-TTS.cab"
$WINPE_SPEECH_TTS_LANG_PATH = Join-Path $WINPE_OC_PATH "WinPE-Speech-TTS-$LANG.cab"
$OS_LP_PATH = $LP_ISO_DRIVE_LETTER + ":\x64\langpacks\" + "Microsoft-Windows-Client-Language-Pack_x64_" + $LANG + ".cab"
$WINPE_OC_PATH = "$LP_ISO_DRIVE_LETTER`:\Windows Preinstallation Environment\x64\WinPE_OCs"
$WINPE_OC_LANG_PATH = "$WINPE_OC_PATH\$LANG"
$WINPE_OC_LANG_CABS = Get-ChildItem $WINPE_OC_LANG_PATH -Name
$WINPE_OC_LP_PATH = "$WINPE_OC_LANG_PATH\lp.cab"
$WINPE_FONT_SUPPORT_PATH = "$WINPE_OC_PATH\WinPE-FontSupport-$LANG.cab"
$WINPE_SPEECH_TTS_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS.cab"
$WINPE_SPEECH_TTS_LANG_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS-$LANG.cab"
$OS_LP_PATH = "$LP_ISO_DRIVE_LETTER`:\x64\langpacks\Microsoft-Windows-Client-Language-Pack_x64_$LANG.cab"
# Mount the Features on Demand ISO
Write-Host "$(Get-TS): Mounting FOD ISO"
Write-Output "$(Get-TS): Mounting FOD ISO"
$FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
@ -161,10 +161,11 @@ New-Item -ItemType directory -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Keep the original media, make a copy of it for the new, updated media.
Write-Host "$(Get-TS): Copying original media to new media path"
Write-Output "$(Get-TS): Copying original media to new media path"
Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
```
### Update WinRE
The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package.
@ -176,25 +177,25 @@ It finishes by cleaning and exporting the image to reduce the image size.
```powershell
# Mount the main operating system, used throughout the script
Write-Host "$(Get-TS): Mounting main OS"
Write-Output "$(Get-TS): Mounting main OS"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
#
# update Windows Recovery Environment (WinRE)
#
Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Mounting WinRE"
Write-Output "$(Get-TS): Mounting WinRE"
Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update
Write-Host "$(Get-TS): Adding package $SSU_PATH"
Write-Output "$(Get-TS): Adding package $SSU_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
#
# Optional: Add the language to recovery environment
#
# Install lp.cab cab
Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
# Install language cabs for each optional package installed
@ -210,7 +211,7 @@ Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
Write-Host "$(Get-TS): Adding package $OC_CAB_PATH"
Write-Output "$(Get-TS): Adding package $OC_CAB_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
}
}
@ -219,7 +220,7 @@ Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
# Add font support for the new language
if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
Write-Host "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
@ -227,30 +228,31 @@ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
}
}
# Add Safe OS
Write-Host "$(Get-TS): Adding package $SAFE_OS_DU_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction stop | Out-Null
Write-Output "$(Get-TS): Adding package $SAFE_OS_DU_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction stop | Out-Null
# Perform image cleanup
Write-Host "$(Get-TS): Performing image cleanup on WinRE"
Write-Output "$(Get-TS): Performing image cleanup on WinRE"
DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
# Dismount
Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
# Export
Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim"
Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim"
Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null
Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null
```
### Update WinPE
This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media.
@ -266,15 +268,15 @@ $WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim"
Foreach ($IMAGE in $WINPE_IMAGES) {
# update WinPE
Write-Host "$(Get-TS): Mounting WinPE"
Write-Output "$(Get-TS): Mounting WinPE"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Add SSU
Write-Host "$(Get-TS): Adding package $SSU_PATH"
Write-Output "$(Get-TS): Adding package $SSU_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
# Install lp.cab cab
Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
# Install language cabs for each optional package installed
@ -291,7 +293,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
Write-Host "$(Get-TS): Adding package $OC_CAB_PATH"
Write-Output "$(Get-TS): Adding package $OC_CAB_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
}
}
@ -300,7 +302,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
# Add font support for the new language
if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
Write-Host "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
@ -308,39 +310,40 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
}
}
# Generates a new Lang.ini file which is used to define the language packs inside the image
if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") ) {
Write-Host "$(Get-TS): Updating lang.ini"
Write-Output "$(Get-TS): Updating lang.ini"
DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null
}
}
# Add latest cumulative update
Write-Host "$(Get-TS): Adding package $LCU_PATH"
Write-Output "$(Get-TS): Adding package $LCU_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
# Perform image cleanup
Write-Host "$(Get-TS): Performing image cleanup on WinPE"
Write-Output "$(Get-TS): Performing image cleanup on WinPE"
DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
# Dismount
Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null
#Export WinPE
Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim"
Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
}
Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null
```
### Update the main operating system
For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
@ -355,36 +358,36 @@ You can install Optional Components, along with the .NET feature, offline, but t
#
# Add servicing stack update
Write-Host "$(Get-TS): Adding package $SSU_PATH"
Write-Output "$(Get-TS): Adding package $SSU_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
# Optional: Add language to main OS
Write-Host "$(Get-TS): Adding package $OS_LP_PATH"
Write-Output "$(Get-TS): Adding package $OS_LP_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null
# Optional: Add a Features on Demand to the image
Write-Host "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0"
Write-Output "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0"
Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0"
Write-Output "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0"
Add-WindowsCapability -Name "Language.Basic~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0"
Write-Output "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0"
Add-WindowsCapability -Name "Language.OCR~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0"
Write-Output "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0"
Add-WindowsCapability -Name "Language.Handwriting~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0"
Write-Output "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0"
Add-WindowsCapability -Name "Language.TextToSpeech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0"
Write-Output "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0"
Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
# Note: If I wanted to enable additional Features on Demand, I'd add these here.
# Add latest cumulative update
Write-Host "$(Get-TS): Adding package $LCU_PATH"
Write-Output "$(Get-TS): Adding package $LCU_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
# Copy our updated recovery image from earlier into the main OS
@ -393,7 +396,7 @@ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop
Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null
# Perform image cleanup
Write-Host "$(Get-TS): Performing image cleanup on main OS"
Write-Output "$(Get-TS): Performing image cleanup on main OS"
DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
#
@ -402,18 +405,18 @@ DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
# the image to be booted, and thus if we tried to cleanup after installation, it would fail.
#
Write-Host "$(Get-TS): Adding NetFX3~~~~"
Write-Output "$(Get-TS): Adding NetFX3~~~~"
Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
# Add .NET Cumulative Update
Write-Host "$(Get-TS): Adding package $DOTNET_CU_PATH"
Write-Output "$(Get-TS): Adding package $DOTNET_CU_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null
# Dismount
Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null
# Export
Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
```
@ -428,9 +431,10 @@ This part of the script updates the Setup files. It simply copies the individual
#
# Add Setup DU by copy the files from the package into the newMedia
Write-Host "$(Get-TS): Adding package $SETUP_DU_PATH"
Write-Output "$(Get-TS): Adding package $SETUP_DU_PATH"
cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null
```
### Finish up
As a last step, the script removes the working folder of temporary files, and unmounts our language pack and Features on Demand ISOs.
@ -444,9 +448,9 @@ As a last step, the script removes the working folder of temporary files, and un
Remove-Item -Path $WORKING_PATH -Recurse -Force -ErrorAction stop | Out-Null
# Dismount ISO images
Write-Host "$(Get-TS): Dismounting ISO images"
Write-Output "$(Get-TS): Dismounting ISO images"
Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null
Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Media refresh completed!"
Write-Output "$(Get-TS): Media refresh completed!"
```

2
windows/deployment/update/servicing-stack-updates.md
View File

@ -28,6 +28,8 @@ Servicing stack updates provide fixes to the servicing stack, the component that
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
For information about some changes to servicing stack updates, see [Simplifing Deployment of Servicing Stack Updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-deployment-of-servicing-stack-updates/ba-p/1646039) on the Windows IT Pro blog.
## When are they released?
Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical."

2
windows/deployment/update/waas-configure-wufb.md
View File

@ -5,7 +5,7 @@ manager: laurawi
description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices.
ms.prod: w10
ms.mktglfcycl: deploy
ms.collection: M365initiative-coredeploy
ms.collection: m365initiative-coredeploy
audience: itpro
author: jaimeo
ms.localizationpriority: medium

15
windows/deployment/update/waas-delivery-optimization.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
ms.author: jaimeo
ms.collection:
- M365-modern-desktop
- M365initiative-coredeploy
- m365initiative-coredeploy
ms.topic: article
---
@ -137,7 +137,7 @@ If you set up Delivery Optimization to create peer groups that include devices a
Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80.
**What are the requirements if I use a proxy?**: You must allow Byte Range requests. See [Proxy requirements for Windows Update](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update) for details.
**What are the requirements if I use a proxy?**: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/delivery-optimization-proxy). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update).
**What hostnames should I allow through my firewall to support Delivery Optimization?**:
@ -193,6 +193,7 @@ If you dont see any bytes coming from peers the cause might be one of the fol
- Clients arent able to reach the Delivery Optimization cloud services.
- The cloud service doesnt see other peers on the network.
- Clients arent able to connect to peers that are offered back from the cloud service.
- None of the computers on the network are getting updates from peers.
### Clients aren't able to reach the Delivery Optimization cloud services.
@ -204,7 +205,6 @@ If you suspect this is the problem, try these steps:
3. If **DownloadMode** is 99 it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization hostnames are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**.
### The cloud service doesn't see other peers on the network.
If you suspect this is the problem, try these steps:
@ -223,6 +223,15 @@ If you suspect this is the problem, try a Telnet test between two devices on the
2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run **telnet 192.168.9.17 7680** (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success.
### None of the computers on the network are getting updates from peers
If you suspect this is the problem, check Delivery Optimization settings that could limit participation in peer caching. Check whether the following settings in assigned group policies, local group policies, are MDM policies are too restrictive:
- Minimum RAM (inclusive) allowed to use peer caching
- Minimum disk size allowed to use peer caching
- Enable peer caching while the device connects using VPN.
- Allow uploads when the device is on battery while under the set battery level

2
windows/deployment/update/waas-integrate-wufb.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.collection: M365initiative-coredeploy
ms.collection: m365initiative-coredeploy
manager: laurawi
ms.topic: article
---

2
windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
View File

@ -9,7 +9,7 @@ ms.author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
ms.collection: M365initiative-coredeploy
ms.collection: m365initiative-coredeploy
---
# Prepare servicing strategy for Windows 10 updates

2
windows/deployment/update/waas-wufb-group-policy.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.collection: M365initiative-coredeploy
ms.collection: m365initiative-coredeploy
manager: laurawi
ms.topic: article
---

8
windows/deployment/upgrade/quick-fixes.md
View File

@ -158,11 +158,11 @@ To check and repair system files:
### Repair unsigned drivers
Drivers that are not properly signed can block the upgrade process. Drivers might not be properly signed if you:
[Drivers](https://docs.microsoft.com/windows-hardware/drivers/gettingstarted/what-is-a-driver-) are files ending in *.dll or *.sys that are used to communicate with hardware components. Because drivers are so important, they are cryptographically signed to ensure they are genuine. Drivers with a *.sys extension that are not properly signed frequently block the upgrade process. Drivers might not be properly signed if you:
- Disabled driver signature verification (highly not recommended).
- A catalog file used to sign a driver is corrupt or missing.
Catalog files are used to sign drivers. If a catalog file is corrupt or missing, the driver will appear to be unsigned, even though it should be signed. This can cause the upgrade process to fail. To restore the catalog file, reinstall the driver or copy the catalog file from another device. You might need to analyze another device to determine the catalog file that is associated with the unsigned driver. All drivers should be signed to ensure the upgrade process works.
Catalog files (files with a *.cat extension) are used to sign drivers. If a catalog file is corrupt or missing, the driver will appear to be unsigned, even though it should be signed. To restore the catalog file, reinstall the driver or copy the catalog file from another device. You might need to analyze another device to determine the catalog file that is associated with the unsigned driver. All drivers should be signed to ensure the upgrade process works.
To check your system for unsigned drivers:
@ -178,7 +178,7 @@ To check your system for unsigned drivers:
7. After the scanning process is complete, if you see **Your files have been scanned and verified as digitally signed** then you have no unsigned drivers. Otherwise, you will see **The following files have not been digitally signed** and a list will be provided with name, location, and version of all unsigned drivers.
8. To view and save a log file, click **Advanced**, and then click **View Log**. Save the log file if desired.
9. Locate drivers in the log file that are unsigned, write down the location and file names. Also write down the catalog that is associated to the driver if it is provided. If the name of a catalog file is not provided you might need to analyze another device that has the same driver with sigverif and sigcheck (described below).
10. Download [sigcheck.zip](https://download.sysinternals.com/files/Sigcheck.zip) and extract the tool to a directory on your computer, for example: **C:\sigcheck**.
10. The next step is to check that the driver reported as unsigned by sigverif.exe has a problem. In some cases, sigverif.exe might not be successful at locating the catalog file used to sign a driver, even though the catalog file exists. To perform a detailed driver check, download [sigcheck.zip](https://download.sysinternals.com/files/Sigcheck.zip) and extract the tool to a directory on your computer, for example: **C:\sigcheck**.
[Sigcheck](https://docs.microsoft.com/sysinternals/downloads/sigcheck) is a tool that you can download and use to review digital signature details of a file. To use sigcheck:
@ -208,6 +208,8 @@ To check your system for unsigned drivers:
Valid to: 11:46 AM 5/9/2018
(output truncated)
```
In the example above, the afd.sys driver is properly signed by the catalog file Package_163_for_KB4054518~31bf3856ad364e35~x86~~6.1.1.2.cat.
13. Optionally, you can generate a list of drivers using driverquery.exe, which is included with Windows. To save a list of signed and unsigned drivers with driverquery, type **driverquery /si > c:\drivers.txt** and press ENTER. See the following example:

9
windows/docfx.json
View File

@ -18,10 +18,11 @@
"audience": "ITPro",
"breadcrumb_path": "/itpro/windows/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.windows"
},
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.windows"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",

2
windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
View File

@ -96,6 +96,7 @@ The following methodology was used to derive the network endpoints:
|activity.windows.com|TLSV1.2|Used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows
|adl.windows.com|HTTP|Used for compatibility database updates for Windows
|spclient.wg.spotify.com|TLSV1.2|Used for Spotify Live Tile
|cs.dds.microsoft.com|TLSV1.2|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.
## Windows 10 Pro
@ -161,6 +162,7 @@ The following methodology was used to derive the network endpoints:
|activity.windows.com|TLSV1.2|Used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows
|adl.windows.com|HTTP|Used for compatibility database updates for Windows
|spclient.wg.spotify.com|TLSV1.2|Used for Spotify Live Tile
|cs.dds.microsoft.com|TLSV1.2|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.
## Windows 10 Education

1
windows/security/identity-protection/hello-for-business/hello-faq.md
View File

@ -75,6 +75,7 @@ Communicating with Azure Active Directory uses the following URLs:
- enterpriseregistration.windows.net
- login.microsoftonline.com
- login.windows.net
- account.live.com
If your environment uses Microsoft Intune, you need these additional URLs:
- enrollment.manage.microsoft.com

6
windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
View File

@ -18,14 +18,14 @@ ms.date: 02/28/2019
ms.custom: bitlocker
---
# BCD settings and BitLocker
# Boot Configuration Data settings and BitLocker
**Applies to**
- Windows 10
This topic for IT professionals describes the BCD settings that are used by BitLocker.
This topic for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive boot configuration data (BCD) settings have not changed since BitLocker was last enabled, resumed, or recovered.
When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings have not changed since BitLocker was last enabled, resumed, or recovered.
## BitLocker and BCD Settings

2
windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
View File

@ -28,7 +28,7 @@ This topic for the IT professional explains how BitLocker features can be used t
## Using BitLocker to encrypt volumes
BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data volumes. To support fully encrypted operating system volumes, BitLocker uses an unencrypted system volume for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems.
BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems.
In the event that the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes.

8
windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
View File

@ -43,7 +43,7 @@ Before Windows starts, you must rely on security features implemented as part of
### Trusted Platform Module
A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys.
A trusted platform module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys.
On some platforms, TPM can alternatively be implemented as a part of secure firmware.
BitLocker binds encryption keys with the TPM to ensure that a computer has not been tampered with while the system was offline.
For more info about TPM, see [Trusted Platform Module](https://docs.microsoft.com/windows/device-security/tpm/trusted-platform-module-overview).
@ -126,7 +126,7 @@ For SBP-2 and 1394 (a.k.a. Firewire), refer to the “SBP-2 Mitigation” sectio
## Attack countermeasures
This section covers countermeasures for specific types attacks.
This section covers countermeasures for specific types of attacks.
### Bootkits and rootkits
@ -162,7 +162,7 @@ The following sections cover mitigations for different types of attackers.
Physical access may be limited by a form factor that does not expose buses and memory.
For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard.
This attacker of opportunity does not use destructive methods or sophisticated forensics hardware/software.
This attacker of opportunity does not use destructive methods or sophisticated forensics hardware/software.
Mitigation:
- Pre-boot authentication set to TPM only (the default)
@ -172,7 +172,7 @@ Mitigation:
Targeted attack with plenty of time; this attacker will open the case, will solder, and will use sophisticated hardware or software.
Mitigation:
- Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN to help the TPM anti-hammering mitigation).
- Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN [enhanced pin] to help the TPM anti-hammering mitigation).
-And-

2
windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
View File

@ -23,7 +23,7 @@ ms.custom: bitlocker
- Windows 10
This topic explains how BitLocker Device Encryption can help protect data on devices running Windows 10.
For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
When users travel, their organizations confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and by providing new strategies.

2
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -593,7 +593,7 @@ After you've decided where your protected apps can access enterprise data on you
**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they are copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS templates license. Only users with permission to that template will be able to read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp).
- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesnt actually apply Azure Information Protection to the files. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy.
- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesnt actually apply Azure Information Protection to the files.
If you dont specify an [RMS template](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates), its a regular EFS file using a default RMS template that all users can access.

3
windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
View File

@ -73,6 +73,8 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
- Microsoft Remote Desktop
- Microsoft To Do
> [!NOTE]
> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning.
@ -113,6 +115,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
| Microsoft Paint | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mspaint.exe<br>**App Type:** Desktop app |
| Microsoft Remote Desktop | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mstsc.exe<br>**App Type:** Desktop app |
| Microsoft MAPI Repair Tool | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** fixmapi.exe<br>**App Type:** Desktop app |
| Microsoft To Do | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Todos<br>**App Type:** Store app |
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

35
windows/security/threat-protection/TOC.md
View File

@ -49,18 +49,27 @@
#### [PowerShell, WMI, and MPCmdRun.exe](microsoft-defender-atp/manage-atp-post-migration-other-tools.md)
## [Security administration]()
### [Threat & Vulnerability Management]()
#### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
#### [Dashboard insights](microsoft-defender-atp/tvm-dashboard-insights.md)
#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
#### [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)
#### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
#### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
#### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
#### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
#### [Event timeline](microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md)
#### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
### [Threat & vulnerability management]()
#### [Overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
#### [Get started]()
##### [Permissions & prerequisites](microsoft-defender-atp/tvm-prerequisites.md)
##### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
##### [Assign device value](microsoft-defender-atp/tvm-assign-device-value.md)
#### [Assess your security posture]()
##### [Dashboard insights](microsoft-defender-atp/tvm-dashboard-insights.md)
##### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
##### [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)
#### [Improve your security posture & reduce risk]()
##### [Address security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
##### [Remediate vulnerabilities](microsoft-defender-atp/tvm-remediation.md)
##### [Exceptions for security recommendations](microsoft-defender-atp/tvm-exception.md)
##### [Plan for end-of-support software](microsoft-defender-atp/tvm-end-of-support-software.md)
#### [Understand vulnerabilities on your devices]()
##### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
##### [Vulnerabilities in my organization](microsoft-defender-atp/tvm-weaknesses.md)
##### [Event timeline](microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md)
##### [Hunt for exposed devices](microsoft-defender-atp/tvm-hunt-exposed-devices.md)
### [Attack surface reduction]()
#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
@ -448,7 +457,7 @@
##### [Onboard devices using a local script](microsoft-defender-atp/configure-endpoints-script.md)
##### [Onboard non-persistent virtual desktop infrastructure (VDI) devices](microsoft-defender-atp/configure-endpoints-vdi.md)
#### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md)
#### [Onboard Windows servers](microsoft-defender-atp/configure-server-endpoints.md)
#### [Onboard non-Windows devices](microsoft-defender-atp/configure-endpoints-non-windows.md)
#### [Onboard devices without Internet access](microsoft-defender-atp/onboard-offline-machines.md)
#### [Run a detection test on a newly onboarded device](microsoft-defender-atp/run-detection-test.md)

6
windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
View File

@ -42,7 +42,7 @@ Configuring policy settings in this category can help you document attempts to a
- [Audit Credential Validation](audit-credential-validation.md)
- [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
- [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
- [Audit Other Account Logon Events](audit-other-account-logon-events.md)
## Account Management
@ -150,8 +150,8 @@ Auditors will be able to prove that every resource in the system is protected by
Resource SACLs are also useful for diagnostic scenarios. For example, setting the Global Object Access Auditing policy to log all the activity for a specific user and enabling the policy to track "Access denied" events for the file system or registry can help administrators quickly identify which object in a system is denying a user access.
> **Note:**  If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object
Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
> [!NOTE]
> If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
This category includes the following subcategories:
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)

4
windows/security/threat-protection/auditing/event-4625.md
View File

@ -166,7 +166,7 @@ This event generates on domain controllers, member servers, and workstations.
| 0xC0000064 | User logon with misspelled or bad user account |
| 0xC000006A | User logon with misspelled or bad password |
| 0XC000006D | This is either due to a bad username or authentication information |
| 0XC000006E | Unknown user name or bad password. |
| 0XC000006E | Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions). |
| 0xC000006F | User logon outside authorized hours |
| 0xC0000070 | User logon from unauthorized workstation |
| 0xC0000071 | User logon with expired password |
@ -284,7 +284,7 @@ For 4625(F): An account failed to log on.
- Monitor for all events with the fields and values in the following table:
| **Field** | Value to monitor for |
| Field | Value to monitor for |
|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000005E “There are currently no logon servers available to service the logon request.” <br>This is typically not a security issue but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000064 “User logon with misspelled or bad user account”. <br>Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |

48
windows/security/threat-protection/index.md
View File

@ -17,20 +17,20 @@ ms.topic: conceptual
---
# Threat Protection
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
>[!TIP]
> [!TIP]
> Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/).
<center><h2>Microsoft Defender ATP</center></h2>
<table>
<tr>
<td><a href="#tvm"><center><img src="images/TVM_icon.png"> <br><b>Threat & Vulnerability Management</b></center></a></td>
<td><a href="#asr"><center><img src="images/asr-icon.png"> <br><b>Attack surface reduction</b></center></a></td>
<td><center><a href="#ngp"><img src="images/ngp-icon.png"><br> <b>Next-generation protection</b></a></center></td>
<td><center><a href="#edr"><img src="images/edr-icon.png"><br> <b>Endpoint detection and response</b></a></center></td>
<td><center><a href="#ai"><img src="images/air-icon.png"><br> <b>Automated investigation and remediation</b></a></center></td>
<td><center><a href="#mte"><img src="images/mte-icon.png"><br> <b>Microsoft Threat Experts</b></a></center></td>
<td><a href="#tvm"><center><img src="images/TVM_icon.png" alt="threat and vulnerability icon"> <br><b>Threat & vulnerability management</b></center></a></td>
<td><a href="#asr"><center><img src="images/asr-icon.png" alt="attack surface reduction icon"> <br><b>Attack surface reduction</b></center></a></td>
<td><center><a href="#ngp"><img src="images/ngp-icon.png" alt="next generation protection icon"><br> <b>Next-generation protection</b></a></center></td>
<td><center><a href="#edr"><img src="images/edr-icon.png" alt="endpoint detection and response icon"><br> <b>Endpoint detection and response</b></a></center></td>
<td><center><a href="#ai"><img src="images/air-icon.png" alt="automated investigation and remediation icon"><br> <b>Automated investigation and remediation</b></a></center></td>
<td><center><a href="#mte"><img src="images/mte-icon.png" alt="microsoft threat experts icon"><br> <b>Microsoft Threat Experts</b></a></center></td>
</tr>
<tr>
<td colspan="7">
@ -47,19 +47,14 @@ ms.topic: conceptual
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]
**[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**<br>
**[Threat & vulnerability management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**<br>
This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
- [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
- [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
- [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)
- [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
- [Remediation](microsoft-defender-atp/tvm-remediation.md)
- [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
- [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
- [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
- [Threat & vulnerability management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
- [Get started](microsoft-defender-atp/tvm-prerequisites.md)
- [Access your security posture](microsoft-defender-atp/tvm-dashboard-insights.md)
- [Improve your security posture and reduce risk](microsoft-defender-atp/tvm-security-recommendation.md)
- [Understand vulnerabilities on your devices](microsoft-defender-atp/tvm-software-inventory.md)
<a name="asr"></a>
@ -103,25 +98,16 @@ Endpoint detection and response capabilities are put in place to detect, investi
<a name="ai"></a>
**[Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)**<br>
In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
In addition to quickly responding to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
- [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
- [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
- [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
<a name="ss"></a>
**[Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)**<br>
Microsoft Defender ATP includes a Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)
- [Threat analytics](microsoft-defender-atp/threat-analytics.md)
<a name="mte"></a>
**[Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)**<br>
Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
- [Targeted attack notification](microsoft-defender-atp/microsoft-threat-experts.md)
- [Experts-on-demand](microsoft-defender-atp/microsoft-threat-experts.md)
@ -149,4 +135,4 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
<a name="mtp"></a>
**[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**<br>
With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks.
With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.

2
windows/security/threat-protection/intelligence/fileless-threats.md
View File

@ -43,7 +43,7 @@ A fully fileless malware can be considered one that never requires writing a fil
A compromised device may also have malicious code hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or in the firmware of a network card. All these examples don't require a file on the disk to run, and can theoretically live only in memory. The malicious code would survive reboots, disk reformats, and OS reinstalls.
Infections of this type can be extra difficult deal with because antivirus products usually dont have the capability to inspect firmware. Even if they did, it would be extremely challenging to detect and remediate threats at this level. This type of fileless malware requires high levels of sophistication and often depends on particular hardware or software configuration. Its not an attack vector that can be exploited easily and reliably. While dangerous, threats of this type are uncommon and not practical for most attacks.
Infections of this type can be particularly difficult to detect because most antivirus products dont have the capability to inspect firmware. In cases where a product does have the ability to inspect and detect malicious firmware, there are still significant challenges associated with remediation of threats at this level. This type of fileless malware requires high levels of sophistication and often depends on particular hardware or software configuration. Its not an attack vector that can be exploited easily and reliably. While dangerous, threats of this type are uncommon and not practical for most attacks.
## Type II: Indirect file activity

BIN
windows/security/threat-protection/microsoft-defender-antivirus/images/win-security- exp-policy-endpt-security.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 195 KiB

44
windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
View File

@ -1,6 +1,6 @@
---
title: Protect security settings with tamper protection
ms.reviewer: shwjha
ms.reviewer: shwjha, hayhov
manager: dansimp
description: Use tamper protection to prevent malicious apps from changing important security settings.
keywords: malware, defender, antivirus, tamper protection
@ -14,7 +14,7 @@ audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 10/08/2020
ms.date: 10/14/2020
---
# Protect security settings with tamper protection
@ -136,22 +136,24 @@ If you're using [version 2006 of Configuration Manager](https://docs.microsoft.c
1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions).
2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and choose **+ Create Policy**.
2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and choose **+ Create Policy**.<br/>
3. Configure tamper protection as part of the new policy.
- In the **Platform** list, select **Windows 10 and Windows Server (ConfigMgr)**.
- In the **Profile** list, select **Windows Security experience (preview)**. <br/>
The following screenshot illustrates how to create your policy:
4. Deploy the policy to your device collection.
:::image type="content" source="images/win-security- exp-policy-endpt-security.png" alt-text="Windows security experience in Endpoint Manager":::
3. Deploy the policy to your device collection.
Need help? See the following resources:
- [Antivirus policy for endpoint security in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-antivirus-policy)
- [Settings for the Windows Security experience profile in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/antivirus-security-experience-windows-settings)
- [Tech Community Blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin)
- [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy)
## View information about tampering attempts
@ -161,7 +163,7 @@ When a tampering attempt is detected, an alert is raised in the [Microsoft Defen
![Microsoft Defender Security Center](images/tamperattemptalert.png)
Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts.
Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.
## Review your security recommendations
@ -179,7 +181,7 @@ To learn more about Threat & Vulnerability Management, see [Threat & Vulnerabili
### To which Windows OS versions is configuring tamper protection is applicable?
Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
If you are using Configuration Manager, version 2006 with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy).
@ -189,13 +191,13 @@ No. Third-party antivirus offerings will continue to register with the Windows S
### What happens if Microsoft Defender Antivirus is not active on a device?
Tamper protection will not have any impact on such devices.
Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive mode. Tamper protection will continue to protect the service and its features.
### How can I turn tamper protection on/off?
If you are a home user, see [Turn tamper protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine).
If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article:
If you are an organization using [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article:
- [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
@ -216,9 +218,9 @@ Some sample Microsoft Defender Antivirus settings:
Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\\<br />
Value `DisableRealtimeMonitoring` = 0
### For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization only?
### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only?
Configuring tamper protection in Intune can be targeted to your entire organization as well as to specific devices and user groups.
Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization as well as to specific devices and user groups.
### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager?
@ -226,9 +228,9 @@ If you are using tenant attach, you can use Microsoft Endpoint Configuration Man
### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune?
Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
### What happens if I try to change Microsoft Defender ATP settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
### What happens if I try to change Microsoft Defender for Endpoint settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
You wont be able to change the features that are protected by tamper protection; such change requests are ignored.
@ -236,9 +238,9 @@ You wont be able to change the features that are protected by tamper protecti
No. Local admins cannot change or modify tamper protection settings.
### What happens if my device is onboarded with Microsoft Defender ATP and then goes into an off-boarded state?
### What happens if my device is onboarded with Microsoft Defender for Endpoint and then goes into an off-boarded state?
In this case, tamper protection status changes, and this feature is no longer applied.
If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is turned on, which is the default state for unmanaged devices.
### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center?
@ -254,6 +256,6 @@ In addition, your security operations team can use hunting queries, such as the
[Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
[Get an overview of Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
[Get an overview of Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
[Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](why-use-microsoft-defender-antivirus.md)
[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md)

80
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md Normal file
View File

@ -0,0 +1,80 @@
---
title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender Advanced Threat Protection
description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 09/20/2020
---
# AssignedIPAddresses()
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Use the `AssignedIPAddresses()` function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time.
This function returns a table with the following columns:
Column | Data type | Description
-|-|-
`Timestamp` | datetime | Latest time when the device was observed using the IP address
`IPAddress` | string | IP address used by the device
`IPType` | string | Indicates whether the IP address is a public or private address
`NetworkAdapterType` | int | Network adapter type used by the device that has been assigned the IP address. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype)
`ConnectedNetworks` | int | Networks that the adapter with the assigned IP address is connected to. Each JSON array contains the network name, category (public, private, or domain), a description, and a flag indicating if it's connected publicly to the internet
## Syntax
```kusto
AssignedIPAddresses(x, y)
```
## Arguments
- **x**`DeviceId` or `DeviceName` value identifying the device
- **y**`Timestamp` (datetime) value instructing the function to obtain the most recent assigned IP addresses from a specific time. If not specified, the function returns the latest IP addresses.
## Examples
### Get the list of IP addresses used by a device 24 hours ago
```kusto
AssignedIPAddresses('example-device-name', ago(1d))
```
### Get IP addresses used by a device and find devices communicating with it
This query uses the `AssignedIPAddresses()` function to get assigned IP addresses for the device (`example-device-name`) on or before a specific date (`example-date`). It then uses the IP addresses to find connections to the device initiated by other devices.
```kusto
let Date = datetime(example-date);
let DeviceName = "example-device-name";
// List IP addresses used on or before the specified date
AssignedIPAddresses(DeviceName, Date)
| project DeviceName, IPAddress, AssignedTime = Timestamp
// Get all network events on devices with the assigned IP addresses as the destination addresses
| join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP
// Get only network events around the time the IP address was assigned
| where Timestamp between ((AssignedTime - 1h) .. (AssignedTime + 1h))
```
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

13
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
View File

@ -21,14 +21,16 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
## Optimize query performance
Apply these recommendations to get results faster and avoid timeouts while running complex queries.
Apply these recommendations to get results faster and avoid timeouts while running complex queries.
- When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`.
- Use time filters first. Ideally, limit your queries to seven days.
- Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.
@ -43,6 +45,7 @@ Apply these recommendations to get results faster and avoid timeouts while runni
## Query tips and pitfalls
### Queries with process IDs
Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific device, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the device identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
@ -57,6 +60,7 @@ DeviceNetworkEvents
The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
### Queries with command lines
Command lines can vary. When applicable, filter on file names and do fuzzy matching.
There are numerous ways to construct a command line to accomplish a task. For example, an attacker could reference an image file with or without a path, without a file extension, using environment variables, or with quotes. In addition, the attacker could also change the order of parameters or add multiple quotes and spaces.
@ -87,9 +91,12 @@ DeviceProcessEvents
| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"
```
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Custom detections overview](overview-custom-detections.md)

48
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md Normal file
View File

@ -0,0 +1,48 @@
---
title: Extend advanced hunting coverage with the right settings
description: Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting
keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/10/2020
---
# Extend advanced hunting coverage with the right settings
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[Advanced hunting](advanced-hunting-overview.md) relies on data coming from across your organization. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.
## Advanced security auditing on Windows devices
Turn on these advanced auditing settings to ensure you get data about activities on your devices, including local account management, local security group management, and service creation.
Data | Description | Schema table | How to configure
-|-|-|-
Account management | Events captured as various `ActionType` values indicating local account creation, deletion, and other account-related activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit User Account Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-user-account-management)<br> - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
Security group management | Events captured as various `ActionType` values indicating local security group creation and other local group management activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security Group Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-group-management)<br> - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
Service installation | Events captured with the `ActionType` value `ServiceInstalled`, indicating that a service has been created | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security System Extension](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-system-extension)<br> - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing)
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
- [Custom detections overview](overview-custom-detections.md)

85
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md Normal file
View File

@ -0,0 +1,85 @@
---
title: FileProfile() function in advanced hunting for Microsoft Defender Advanced Threat Protection
description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 09/20/2020
---
# FileProfile()
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
The `FileProfile()` function is an enrichment function in [advanced hunting](advanced-hunting-overview.md) that adds the following data to files found by the query.
Column | Data type | Description
-|-|-
SHA1 | string | SHA-1 of the file that the recorded action was applied to
SHA256 | string | SHA-256 of the file that the recorded action was applied to
MD5 | string | MD5 hash of the file that the recorded action was applied to
FileSize | int | Size of the file in bytes
GlobalPrevalence | int | Number of instances of the entity observed by Microsoft globally
GlobalFirstSeen | datetime | Date and time when the entity was first observed by Microsoft globally
GlobalLastSeen | datetime | Date and time when the entity was last observed by Microsoft globally
Signer | string | Information about the signer of the file
Issuer | string | Information about the issuing certificate authority (CA)
SignerHash | string | Unique hash value identifying the signer
IsCertificateValid | boolean | Whether the certificate used to sign the file is valid
IsRootSignerMicrosoft | boolean | Indicates whether the signer of the root certificate is Microsoft
IsExecutable | boolean | Whether the file is a Portable Executable (PE) file
ThreatName | string | Detection name for any malware or other threats found
Publisher | string | Name of the organization that published the file
SoftwareName | string | Name of the software product
## Syntax
```kusto
invoke FileProfile(x,y)
```
## Arguments
- **x** — file ID column to use: `SHA1`, `SHA256`, `InitiatingProcessSHA1` or `InitiatingProcessSHA256`; function uses `SHA1` if unspecified
- **y** — limit to the number of records to enrich, 1-1000; function uses 100 if unspecified
## Examples
### Project only the SHA1 column and enrich it
```kusto
DeviceFileEvents
| where isnotempty(SHA1) and Timestamp > ago(1d)
| take 10
| project SHA1
| invoke FileProfile()
```
### Enrich the first 500 records and list low-prevalence files
```kusto
DeviceFileEvents
| where ActionType == "FileCreated" and Timestamp > ago(1d)
| project CreatedOn = Timestamp, FileName, FolderPath, SHA1
| invoke FileProfile("SHA1", 500)
| where GlobalPrevalence < 15
```
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

107
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md Normal file
View File

@ -0,0 +1,107 @@
---
title: Get relevant info about an entity with go hunt
description: Learn how to use the "go hunt" tool to quickly query for relevant information about an entity or event using advanced hunting.
keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft Threat Protection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
f1.keywords:
- NOCSH
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Quickly hunt for entity or event information with go hunt
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
With the *go hunt* action, you can quickly investigate events and various entity types using powerful query-based [advanced hunting](advanced-hunting-overview.md) capabilities. This action automatically runs an advanced hunting query to find relevant information about the selected event or entity.
The *go hunt* action is available in various sections of the security center whenever event or entity details are displayed. For example, you can use *go hunt* from the following sections:
- In the [incident page](investigate-incidents.md), you can review details about users, devices, and many other entities associated with an incident. When you select an entity, you get additional information as well as various actions you could take on that entity. In the example below, a device is selected, showing details about the device as well the option to hunt for more information about the device.
![Image showing device details with the go hunt option](./images/go-hunt-device.png)
- In the incident page, you can also access a list of entities under the evidence tab. Selecting one of those entities provides an option to quickly hunt for information about that entity.
![Image showing selected url with the go hunt option in the Evidence tab](./images/go-hunt-evidence-url.png)
- When viewing the timeline for a device, you can select an event in the timeline to view additional information about that event. Once an event is selected, you get the option to hunt for other relevant events in advanced hunting.
![Image showing event details with the go hunt option](./images/go-hunt-event.png)
Selecting **Go hunt** or **Hunt for related events** passes different queries, depending on whether you've selected an entity or an event.
## Query for entity information
When using *go hunt* to query for information about a user, device, or any other type of entity, the query checks all relevant schema tables for any events involving that entity. To keep the results manageable, the query is scoped to around the same time period as the earliest activity in the past 30 days that involves the entity and is associated with the incident.
Here is an example of the go hunt query for a device:
```kusto
let selectedTimestamp = datetime(2020-06-02T02:06:47.1167157Z);
let deviceName = "fv-az770.example.com";
let deviceId = "device-guid";
search in (DeviceLogonEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceImageLoadEvents, DeviceEvents, DeviceImageLoadEvents, IdentityLogonEvents, IdentityQueryEvents)
Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h))
and DeviceName == deviceName
// or RemoteDeviceName == deviceName
// or DeviceId == deviceId
| take 100
```
### Supported entity types
You can use *go hunt* after selecting any of these entity types:
- Files
- Users
- Devices
- IP addresses
- URLs
## Query for event information
When using *go hunt* to query for information about a timeline event, the query checks all relevant schema tables for other events around the time of the selected event. For example, the following query lists events in various schema tables that occurred around the same time period on the same device:
```kusto
// List relevant events 30 minutes before and after selected RegistryValueSet event
let selectedEventTimestamp = datetime(2020-10-06T21:40:25.3466868Z);
search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents)
Timestamp between ((selectedEventTimestamp - 30m) .. (selectedEventTimestamp + 30m))
and DeviceId == "a305b52049c4658ec63ae8b55becfe5954c654a4"
| sort by Timestamp desc
| extend Relevance = iff(Timestamp == selectedEventTimestamp, "Selected event", iff(Timestamp < selectedEventTimestamp, "Earlier event", "Later event"))
| project-reorder Relevance
```
## Adjust the query
With some knowledge of the [query language](advanced-hunting-query-language.md), you can adjust the query to your preference. For example, you can adjust this line, which determines the size of the time window:
```kusto
Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h))
```
In addition to modifying the query to get more relevant results, you can also:
- [View the results as charts](advanced-hunting-query-results.md#view-query-results-as-a-table-or-chart)
- [Create a custom detection rule](custom-detection-rules.md)
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Custom detection rules](custom-detection-rules.md)

18
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
View File

@ -28,18 +28,20 @@ ms.topic: article
Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.
<br />
<br />
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo]
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.
>[!TIP]
>Use [advanced hunting in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview) to hunt for threats using data from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. [Turn on Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable)
## Get started with advanced hunting
Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.
<p></p>
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo]
You can also go through each of the following steps to ramp up your advanced hunting knowledge.
Go through the following steps to ramp up your advanced hunting knowledge.
We recommend going through several steps to quickly get up and running with advanced hunting.
@ -50,18 +52,24 @@ We recommend going through several steps to quickly get up and running with adva
| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
| **Optimize queries and handle errors** | Understand how to create efficient and error-free queries. | - [Query best practices](advanced-hunting-best-practices.md)<br>- [Handle errors](advanced-hunting-errors.md) |
| **Get the most complete coverage** | Use audit settings to provide better data coverage for your organization. | - [Extend advanced hunting coverage](advanced-hunting-extend-data.md) |
| **Run a quick investigation** | Quickly run an advanced hunting query to investigate suspicious activity. | - [Quickly hunt for entity or event information with *go hunt*](advanced-hunting-go-hunt.md) |
| **Contain threats and address compromises** | Respond to attacks by quarantining files, restricting app execution, and other actions | - [Take action on advanced hunting query results](advanced-hunting-take-action.md) |
| **Create custom detection rules** | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - [Custom detections overview](overview-custom-detections.md)<br>- [Custom detection rules](custom-detection-rules.md) |
## Data freshness and update frequency
Advanced hunting data can be categorized into two distinct types, each consolidated differently.
- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Microsoft Defender ATP.
- **Entity data**—populates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
## Time zone
Time information in advanced hunting is currently in the UTC time zone.
## Related topics
- [Learn the query language](advanced-hunting-query-language.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Use shared queries](advanced-hunting-shared-queries.md)

5
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto operators and statements to construct queries that locate information in a specialized [schema](advanced-hunting-schema-reference.md). To understand these concepts better, run your first query.
@ -176,7 +176,6 @@ For detailed information about the query language, see [Kusto query language doc
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Use shared queries](advanced-hunting-shared-queries.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)

10
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
View File

@ -116,6 +116,12 @@ After running a query, select **Export** to save the results to local file. Your
## Drill down from query results
To view more information about entities, such as devices, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity.
To quickly inspect a record in your query results, select the corresponding row to open the Inspect record panel. The panel provides the following information based on the selected record:
- **Assets** — A summarized view of the main assets (mailboxes, devices, and users) found in the record, enriched with available information, such as risk and exposure levels
- **Process tree** — A chart generated for records with process information and enriched using available contextual information; in general, queries that return more columns can result in richer process trees.
- **All details** — Lists all the values from the columns in the record
## Tweak your queries from the results
Right-click a value in the result set to quickly enhance your query. You can use the options to:
@ -126,9 +132,9 @@ Right-click a value in the result set to quickly enhance your query. You can use
![Image of advanced hunting result set](images/advanced-hunting-results-filter.png)
## Filter the query results
The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
The filters displayed in the right pane provide a summary of the result set. Every column has its own section in the pane, each of which lists the values found in that column, and the number of instances.
Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude and then selecting **Run query**.
Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude. Then select **Run query**.
![Image of advanced hunting filter](images/advanced-hunting-filter.png)

5
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
View File

@ -69,8 +69,11 @@ Table and column names are also listed within the Microsoft Defender Security Ce
| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |
| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
- [Custom detections overview](overview-custom-detections.md)
- [Advanced hunting data schema changes](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914)

6
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
View File

@ -43,7 +43,7 @@ You can save a new or existing query so that it is only accessible to you or sha
![Image of saving a query](images/advanced-hunting-save-query.png)
4. Select the folder where you'd like to save the query.
- **Shared queries** — shared to all users in the your organization
- **Shared queries** — shared to all users in your organization
- **My queries** — accessible only to you
5. Select **Save**.
@ -67,3 +67,7 @@ Microsoft security researchers regularly share advanced hunting queries in a [de
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
- [Custom detections overview](overview-custom-detections.md)

82
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md Normal file
View File

@ -0,0 +1,82 @@
---
title: Take action on advanced hunting query results in Microsoft Threat Protection
description: Quickly address threats and affected assets in your advanced hunting query results
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 09/20/2020
---
# Take action on advanced hunting query results
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
You can quickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md) using powerful and comprehensive action options. With these options, you can:
- Take various actions on devices
- Quarantine files
## Required permissions
To be able to take action through advanced hunting, you need a role in Microsoft Defender ATP with [permissions to submit remediation actions on devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options). If you can't take action, contact a global administrator about getting the following permission:
*Active remediation actions > Threat and vulnerability management - Remediation handling*
## Take various actions on devices
You can take the following actions on devices identified by the `DeviceId` column in your query results:
- Isolate affected devices to contain an infection or prevent attacks from moving laterally
- Collect investigation package to obtain more forensic information
- Run an antivirus scan to find and remove threats using the latest security intelligence updates
- Initiate an automated investigation to check and remediate threats on the device and possibly other affected devices
- Restrict app execution to only Microsoft-signed executable files, preventing subsequent threat activity through malware or other untrusted executables
To learn more about how these response actions are performed through Microsoft Defender ATP, [read about response actions on devices](respond-machine-alerts.md).
## Quarantine files
You can deploy the *quarantine* action on files so that they are automatically quarantined when encountered. When selecting this action, you can choose between the following columns to identify which files in your query results to quarantine:
- `SHA1` — In most advanced hunting tables, this is the SHA-1 of the file that was affected by the recorded action. For example, if a file was copied, this would be the copied file.
- `InitiatingProcessSHA1` — In most advanced hunting tables, this is the file responsible for initiating the recorded action. For example, if a child process was launched, this would be the parent process.
- `SHA256` — This is the SHA-256 equivalent of the file identified by the `SHA1` column.
- `InitiatingProcessSHA256` — This is the SHA-256 equivalent of the file identified by the `InitiatingProcessSHA1` column.
To learn more about how quarantine actions are taken and how files can be restored, [read about response actions on files](respond-file-alerts.md).
>[!NOTE]
>To locate files and quarantine them, the query results should also include `DeviceId` values as device identifiers.
## Take action
To take any of the described actions, select one or more records in your query results and then select **Take actions**. A wizard will guide you through the process of selecting and then submitting your preferred actions.
![Image of selected record with panel for inspecting the record](images/ah-take-actions.png)
## Review actions taken
Each action is individually recorded in the action center, under **Action center** > **History** ([security.microsoft.com/action-center/history](https://security.microsoft.com/action-center/history)). Go to the action center to check the status of each action.
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
- [Custom detections overview](overview-custom-detections.md)

2
windows/security/threat-protection/microsoft-defender-atp/android-configure.md
View File

@ -16,7 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/android-intune.md
View File

@ -16,7 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
View File

@ -16,7 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
View File

@ -72,6 +72,8 @@ Field numbers match the numbers in the images below.
> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. |
> | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
> | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. |
| | LinkToMTP | flexString1 | `https://security.microsoft.com/alert/da637370718981685665_16349121` | Value available for every Detection.
| | IncidentLinkToMTP | flexString1 | `"https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. |
> | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
> | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. |

2
windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
View File

@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: article
ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
ms.date: 09/24/2020

2
windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
View File

@ -17,7 +17,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
ms.custom: AIR

2
windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
View File

@ -17,7 +17,7 @@ ms.custom:
- edr
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
---
# Behavioral blocking and containment

2
windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
View File

@ -17,7 +17,7 @@ ms.custom:
- edr
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
---
# Client behavioral blocking

2
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
View File

@ -40,7 +40,7 @@ You'll need to know the exact Linux distros and macOS versions that are compatib
You'll need to take the following steps to onboard non-Windows devices:
1. Select your preferred method of onboarding:
- For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-atp-mac).
- For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac).
- For other non-Windows devices choose **Onboard non-Windows devices through third-party integration**.
1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed.

2
windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
View File

@ -16,7 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: article
---

2
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: article
---

94
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -37,14 +37,6 @@ ms.topic: article
Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console.
The service supports the onboarding of the following Windows servers:
- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server (SAC) version 1803 and later
- Windows Server 2019 and later
- Windows Server 2019 core edition
For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines).
@ -54,16 +46,36 @@ For guidance on how to download and use Windows Security Baselines for Windows s
You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Microsoft Defender ATP by using any of the following options:
- **Option 1**: [Onboard through Microsoft Defender Security Center](#option-1-onboard-windows-servers-through-microsoft-defender-security-center)
- **Option 1**: [Onboard by installing and configuring Microsoft Monitoring Agent (MMA)](#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)
- **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center)
- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later (only for Windows Server 2012 R2 and Windows Server 2016)](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later)
- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later)
After completing the onboarding steps using any of the provided options, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
> [!NOTE]
> Microsoft defender ATP standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
### Option 1: Onboard Windows servers through Microsoft Defender Security Center
Perform the following steps to onboard Windows servers through Microsoft Defender Security Center:
### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA)
You'll need to install and configure MMA for Windows servers to report sensor data to Microsoft Defender ATP. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support.
In general, you'll need to take the following steps:
1. Fulfill the onboarding requirements outlined in **Before you begin** section.
2. Turn on server monitoring from Microsoft Defender Security center.
3. Install and configure MMA for the server to report sensor data to Microsoft Defender ATP.
4. Configure and update System Center Endpoint Protection clients.
> [!TIP]
> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
#### Before you begin
Perform the following steps to fulfill the onboarding requirements:
- For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix:
- [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
@ -77,32 +89,6 @@ Perform the following steps to onboard Windows servers through Microsoft Defende
> [!NOTE]
> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
- [Turn on server monitoring from Microsoft Defender Security Center](#turn-on-server-monitoring-from-the-microsoft-defender-security-center-portal).
- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support.
Otherwise, [install and configure MMA to report sensor data to Microsoft Defender ATP](#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp). For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
> [!TIP]
> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
### Configure and update System Center Endpoint Protection clients
Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
The following steps are required to enable this integration:
- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie).
- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting.
### Turn on Server monitoring from the Microsoft Defender Security Center portal
1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**.
2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system.
3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
<span id="server-mma"/>
@ -115,16 +101,21 @@ The following steps are required to enable this integration:
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
- [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md).
Once completed, you should see onboarded Windows servers in the portal within an hour.
<span id="server-proxy"/>
### Configure Windows server proxy and Internet connectivity settings
### Configure Windows server proxy and Internet connectivity settings if needed
If your servers need to use a proxy to communicate with Microsoft Defender ATP, use one of the following methods to configure the MMA to use the proxy server:
- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the <a href="https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway" data-raw-source="[OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway)">OMS Gateway</a>.
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
- [Configure the MMA to use a proxy server](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-agent-using-setup-wizard)
- [Configure Windows to use a proxy server for all connections](configure-proxy-internet.md)
If a proxy or firewall is in use, please ensure that servers can access all of the Microsoft Defender ATP service URLs directly and without SSL interception. For more information, see [enable access to Microsoft Defender ATP service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). Use of SSL interception will prevent the system from communicating with the Defender for Endpoint service.
Once completed, you should see onboarded Windows servers in the portal within an hour.
### Option 2: Onboard Windows servers through Azure Security Center
1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Device management** > **Onboarding**.
@ -135,9 +126,15 @@ Once completed, you should see onboarded Windows servers in the portal within an
4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
### Option 3: Onboard Windows servers through Microsoft Endpoint Configuration Manager version 2002 and later
You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection).
After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition
You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods:
@ -201,6 +198,17 @@ Data collected by Microsoft Defender ATP is stored in the geo-location of the te
Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
## Configure and update System Center Endpoint Protection clients
Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
The following steps are required to enable this integration:
- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie).
- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting.
## Offboard Windows servers
You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices.

61
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
View File

@ -16,6 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 09/20/2020
---
# Create custom detection rules
@ -23,30 +24,36 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md).
Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md).
## 1. Check required permissions
> [!NOTE]
> To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
## 2. Prepare the query
## 1. Prepare the query.
In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.
>[!IMPORTANT]
>To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
### Required columns in the query results
To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device.
To use a query for a custom detection rule, the query must return the following columns:
The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this count to find only the devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
- `Timestamp`
- `DeviceId`
- `ReportId`
Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device.
The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this to find only those devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
```kusto
DeviceEvents
@ -56,7 +63,10 @@ DeviceEvents
| where count_ > 5
```
## 3. Create new rule and provide alert details
> [!TIP]
> For better query performance, set a time filter that matches your intended run frequency for the rule. Since the least frequent run is every 24 hours, filtering for the past day will cover all new data.
## 2. Create a new rule and provide alert details.
With the query in the query editor, select **Create detection rule** and specify the following alert details:
@ -67,36 +77,52 @@ With the query in the query editor, select **Create detection rule** and specify
- **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
- **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software
- **Description**—more information about the component or activity identified by the rule
- **Recommended actions**—additional actions that responders might take in response to an alert
- **Recommended actions**—additional actions that responders might take in response to an alert
For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
### Rule frequency
When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
When saved, a new custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
- **Every 24 hours**—runs every 24 hours, checking data from the past 30 days
- **Every 12 hours**—runs every 12 hours, checking data from the past 24 hours
- **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours
- **Every hour**—runs hourly, checking data from the past 2 hours
> [!TIP]
> Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored.
Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
## 4. Specify actions on files or devices
## 3. Choose the impacted entities.
Identify the columns in your query results where you expect to find the main affected or impacted entity. For example, a query might return both device and user IDs. Identifying which of these columns represent the main impacted entity helps the service aggregate relevant alerts, correlate incidents, and target response actions.
You can select only one column for each entity type. Columns that are not returned by your query can't be selected.
## 4. Specify actions.
Your custom detection rule can automatically take actions on files or devices that are returned by the query.
### Actions on devices
These actions are applied to devices in the `DeviceId` column of the query results:
- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
- **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
- **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device
- **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device
### Actions on files
These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
- **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
- **Quarantine file**—deletes the file from its current location and places a copy in quarantine
## 5. Set the rule scope
## 5. Set the rule scope.
Set the scope to specify which devices are covered by the rule:
- All devices
@ -104,12 +130,15 @@ Set the scope to specify which devices are covered by the rule:
Only data from devices in scope will be queried. Also, actions will be taken only on those devices.
## 6. Review and turn on the rule
## 6. Review and turn on the rule.
After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
You can [view and manage custom detection rules](custom-detections-manage.md), check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
## Related topics
- [View and manage detection rules](custom-detections-manage.md)
- [View and manage custom detection rules](custom-detections-manage.md)
- [Custom detections overview](overview-custom-detections.md)
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the advanced hunting query language](advanced-hunting-query-language.md)

2
windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
View File

@ -18,7 +18,7 @@ ms.custom:
ms.date: 08/21/2020
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
---
# Endpoint detection and response (EDR) in block mode

2
windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

BIN
windows/security/threat-protection/microsoft-defender-atp/images/ah-take-actions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-device.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-event.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 84 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/go-hunt-evidence-url.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 65 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-device-hover.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-device-hover360.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 80 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score350.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 63 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score400.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 78 KiB

2
windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: article
ms.date: 04/24/2018
---

2
windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: article
---

2
windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: article
ms.date: 04/24/2018
---

2
windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: article
ms.date: 04/24/2018
---

2
windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: article
---

2
windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: article
ms.date: 04/24/2018
---

2
windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: article
---

2
windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: article
ms.date: 04/24/2018
---

2
windows/security/threat-protection/microsoft-defender-atp/investigation.md
View File

@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: article
---

2
windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
View File

@ -16,7 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/ios-install.md
View File

@ -16,7 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

60
windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md
View File

@ -1,60 +0,0 @@
---
title: Microsoft Defender ATP for iOS note on Privacy
ms.reviewer:
description: Describes the Microsoft Defender ATP for iOS Privacy
keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope,
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: sunasing
author: sunasing
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
ms.topic: conceptual
hideEdit: true
---
# Microsoft Defender ATP for iOS note on Privacy
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
## What information can my organization see when I use Microsoft Defender ATP on iOS
Your organization cannot see your personal information when you use Microsoft Defender ATP. Microsoft Defender ATP sends certain pieces of information from your device to the ATP portal, such as device threat level, device model, and serial number. Your organization uses this information to help protect you from web-based attacks.
**What your organization can never see:**
- Calling and web browsing history
- Email and text messages
- Contacts
- Calendar
- Passwords
- Pictures, including what's in the photos app or camera roll
- Files
**What your organization can see:**
- Malicious Connections that were blocked by Microsoft Defender ATP
- Device model, like iPhone 11
- Operating system and version, like iOS 12.0.1
- Device name
- Device serial number
## VPN Usage
Microsoft Defender ATP for iOS uses VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
## More on Privacy
[More information about Privacy](https://aka.ms/mdatpiosmainprivacystatement)

78
windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Microsoft Defender ATP for iOS note on Privacy
ms.reviewer:
description: Describes the Microsoft Defender ATP for iOS Privacy
keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope,
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: sunasing
author: sunasing
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
hideEdit: true
---
# Microsoft Defender ATP for iOS - Privacy information
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for iOS](microsoft-defender-atp-ios.md)
>[!NOTE]
> Microsoft Defender ATP for iOS uses a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. Microsoft or your organization **does not see your browsing activity**.
Microsoft Defender ATP for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Microsoft Defender ATP.
Information is collected to help keep Microsoft Defender ATP for iOS secure, up-to-date, performing as expected and to support the service.
## Required data
Required data consists of data that is necessary to make Microsoft Defender ATP for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. Here's a list of the types of data being collected:
### Web page / Network information
- Connection information
- Protocol type (such as HTTP, HTTPS, etc.)
### Device and account information
- Device information such as date & time, iOS version, CPU info, and Device identifier
- Device identifier is one of the below:
- Wi-Fi adapter MAC address
- Randomly generated globally unique identifier (GUID)
- Tenant, Device, and User information
- Azure Active Directory (AD) Device ID and Azure User ID: Uniquely identifies the device, User respectively at Azure Active directory.
- Azure tenant ID - GUID that identifies your organization within Azure Active Directory
- Microsoft Defender ATP org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted
- User Principal Name - Email ID of the user
### Product and service usage data
- App package info, including name, version, and app upgrade status
- Actions performed in the app
- Crash report logs generated by iOS
- Memory usage data
## Optional data
Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself.
Optional diagnostic data includes:
- App, CPU, and network usage
- Features configured by the admin
**Feedback Data** is collected through in-app feedback provided by the user.
- The user's email address, if they choose to provide it
- Feedback type (smile, frown, idea) and any feedback comments submitted by the user
[More on Privacy](https://aka.ms/mdatpiosprivacystatement)

2
windows/security/threat-protection/microsoft-defender-atp/ios-terms.md
View File

@ -16,7 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
hideEdit: true
---

2
windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
View File

@ -16,7 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
View File

@ -16,7 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
View File

@ -16,7 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
View File

@ -16,7 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
View File

@ -16,7 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
View File

@ -16,7 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
View File

@ -16,7 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
View File

@ -16,7 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
mms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
View File

@ -16,7 +16,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

2
windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365-initiative-defender-endpoint
- m365initiative-defender-endpoint
ms.topic: conceptual
---

Some files were not shown because too many files have changed in this diff Show More