mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-14 14:27:22 +00:00
Merge pull request #2046 from MicrosoftDocs/master
Publish 2/12/2020 10:32 AM PST
This commit is contained in:
Thomas Raya
GitHub
commit
25f6b74075
@ -19,7 +19,10 @@ author: shortpatti
|
||||
This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
|
||||
|
||||
### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
|
||||
[Desktop Optimization Pack](https://www.microsoft.com/download/details.aspx?id=58345)
|
||||
[Desktop Optimization Pack](https://www.microsoft.com/download/details.aspx?id=57157)
|
||||
|
||||
> [!NOTE]
|
||||
> For more information about the hotfix releases, see the [MBAM version chart](https://docs.microsoft.com/archive/blogs/dubaisec/mbam-version-chart).
|
||||
|
||||
#### Steps to update the MBAM Server for existing MBAM environment
|
||||
1. Remove MBAM server feature (do this by opening the MBAM Server Configuration Tool, then selecting Remove Features).
|
||||
|
||||
@ -232,6 +232,9 @@ Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "
|
||||
> [!NOTE]
|
||||
> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
|
||||
|
||||
> [!NOTE]
|
||||
> If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app.
|
||||
|
||||
<!--/Description-->
|
||||
<!--SupportedValues-->
|
||||
The following list shows the supported values:
|
||||
|
||||
@ -1,65 +1,66 @@
|
||||
---
|
||||
title: Identify Users (Windows 10)
|
||||
description: Identify Users
|
||||
ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de
|
||||
ms.reviewer:
|
||||
manager: laurawi
|
||||
ms.author: greglin
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
audience: itpro
|
||||
author: greg-lindsay
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Identify Users
|
||||
|
||||
It is important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You cannot specify users in the .xml files. For instructions on how to migrate users, see [Migrate User Accounts](usmt-migrate-user-accounts.md).
|
||||
|
||||
## In This Topic
|
||||
|
||||
- [Migrating Local Accounts](#bkmk-8)
|
||||
- [Migrating Domain Accounts](#bkmk-9)
|
||||
- [Command-Line Options](#bkmk-7)
|
||||
|
||||
## <a href="" id="bkmk-8"></a>Migrating Local Accounts
|
||||
|
||||
Before migrating local accounts, note the following:
|
||||
|
||||
- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the **/lac** option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated.
|
||||
|
||||
- [Consider whether to enable user accounts that are new to the destination computer.](#bkmk-8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer.
|
||||
|
||||
- [Be careful when specifying a password for local accounts.](#bkmk-8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools.
|
||||
|
||||
>[!NOTE]
|
||||
>If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password.
|
||||
|
||||
## <a href="" id="bkmk-9"></a>Migrating Domain Accounts
|
||||
|
||||
The source and destination computers do not need to be connected to the domain for domain user profiles to be migrated.
|
||||
|
||||
## <a href="" id="bkmk-7"></a>Command-Line Options
|
||||
|
||||
USMT provides several options to migrate multiple users on a single computer. The following command-line options specify which users to migrate.
|
||||
|
||||
- [Specifying users.](#bkmk-8) You can specify which users to migrate with the **/all**, **/ui**, **/uel**, and **/ue** options with both the ScanState and LoadState command-line tools.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>The **/uel** option excludes users based on the **LastModified** date of the Ntuser.dat file. The **/uel** option is not valid in offline migrations.
|
||||
|
||||
- [Moving users to another domain.](#bkmk-8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool.
|
||||
|
||||
- [Creating local accounts.](#bkmk-8) You can create and enable local accounts using the **/lac** and **/lae** options with the LoadState command-line tool.
|
||||
|
||||
- [Renaming user accounts.](#bkmk-8) You can rename user accounts using the **/mu** option.
|
||||
|
||||
>[!NOTE]
|
||||
>By default, if a user name is not specified in any of the command-line options, the user will be migrated.
|
||||
|
||||
## Related topics
|
||||
|
||||
[Determine What to Migrate](usmt-determine-what-to-migrate.md)<br>
|
||||
[ScanState Syntax](usmt-scanstate-syntax.md)<br>
|
||||
[LoadState Syntax](usmt-loadstate-syntax.md)
|
||||
---
|
||||
title: Identify Users (Windows 10)
|
||||
description: Identify Users
|
||||
ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de
|
||||
ms.reviewer:
|
||||
manager: laurawi
|
||||
ms.author: greglin
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
audience: itpro
|
||||
author: greg-lindsay
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
---
|
||||
|
||||
# Identify Users
|
||||
|
||||
It is important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You cannot specify users in the .xml files. For instructions on how to migrate users, see [Migrate User Accounts](usmt-migrate-user-accounts.md).
|
||||
|
||||
## In This Topic
|
||||
|
||||
- [Migrating Local Accounts](#bkmk-8)
|
||||
- [Migrating Domain Accounts](#bkmk-9)
|
||||
- [Command-Line Options](#bkmk-7)
|
||||
|
||||
## <a href="" id="bkmk-8"></a>Migrating Local Accounts
|
||||
|
||||
Before migrating local accounts, note the following:
|
||||
|
||||
- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the **/lac** option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated.
|
||||
|
||||
- [Consider whether to enable user accounts that are new to the destination computer.](#bkmk-8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer.
|
||||
|
||||
- [Be careful when specifying a password for local accounts.](#bkmk-8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools.
|
||||
|
||||
>[!NOTE]
|
||||
>If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password.
|
||||
|
||||
## <a href="" id="bkmk-9"></a>Migrating Domain Accounts
|
||||
|
||||
The source and destination computers do not need to be connected to the domain for domain user profiles to be migrated.
|
||||
|
||||
## <a href="" id="bkmk-7"></a>Command-Line Options
|
||||
|
||||
USMT provides several options to migrate multiple users on a single computer. The following command-line options specify which users to migrate.
|
||||
|
||||
- [Specifying users.](#bkmk-8) You can specify which users to migrate with the **/all**, **/ui**, **/uel**, and **/ue** options with both the ScanState and LoadState command-line tools.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>The **/uel** option excludes users based on the **LastModified** date of the Ntuser.dat file. The **/uel** option is not valid in offline migrations.
|
||||
|
||||
- [Moving users to another domain.](#bkmk-8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool.
|
||||
|
||||
- [Creating local accounts.](#bkmk-8) You can create and enable local accounts using the **/lac** and **/lae** options with the LoadState command-line tool.
|
||||
|
||||
- [Renaming user accounts.](#bkmk-8) You can rename user accounts using the **/mu** option.
|
||||
|
||||
>[!NOTE]
|
||||
>By default, if a user name is not specified in any of the command-line options, the user will be migrated.
|
||||
|
||||
## Related topics
|
||||
|
||||
[Determine What to Migrate](usmt-determine-what-to-migrate.md)<br>
|
||||
[ScanState Syntax](usmt-scanstate-syntax.md)<br>
|
||||
[LoadState Syntax](usmt-loadstate-syntax.md)
|
||||
|
||||
@ -59,7 +59,7 @@ To enable white glove deployment, an additional Autopilot profile setting must b
|
||||
|
||||
|
||||
|
||||
The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed.
|
||||
The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed. Please make sure not to target both win32 and LOB apps to the same device.
|
||||
|
||||
>[!NOTE]
|
||||
>Other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users.
|
||||
|
||||
@ -29,8 +29,12 @@ Advanced hunting is a query-based threat-hunting tool that lets you explore up t
|
||||
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines.
|
||||
|
||||
## Get started with advanced hunting
|
||||
Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.
|
||||
<p></p>
|
||||
|
||||
We recommend going through several steps to quickly get up and running with advanced hunting.
|
||||
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo]
|
||||
|
||||
You can also go through each of the following steps to ramp up your advanced hunting knowledge.
|
||||
|
||||
| Learning goal | Description | Resource |
|
||||
|--|--|--|
|
||||
|
||||
@ -24,7 +24,7 @@ ms.custom: asr
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server 2016, version 1803.
|
||||
Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server, version 1803.
|
||||
|
||||
> [!TIP]
|
||||
> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
|
||||
@ -93,7 +93,7 @@ Win32K | 260 | Untrusted Font
|
||||
|
||||
## Mitigation comparison
|
||||
|
||||
The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows Server 2016 (starting with version 1803), under [Exploit protection](exploit-protection.md).
|
||||
The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows Server (starting with version 1803), under [Exploit protection](exploit-protection.md).
|
||||
|
||||
The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.
|
||||
|
||||
|
||||
@ -26,6 +26,11 @@ Cyberthreats are emerging more frequently and prevalently. It is critical for or
|
||||
|
||||
Threat analytics is a set of reports published by Microsoft security researchers as soon as emerging threats and outbreaks are identified. The reports help you assess the impact of threats to your environment and identify actions that can contain them.
|
||||
|
||||
Watch this short video to quickly understand how threat analytics can help you track the latest threats and stop them.
|
||||
<p></p>
|
||||
|
||||
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bw1f]
|
||||
|
||||
## View the threat analytics dashboard
|
||||
|
||||
The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It provides several overviews about the threats covered in the reports:
|
||||
|
||||
@ -73,7 +73,7 @@ You'll need to whitelist the `securitycenter.windows.com` and all sub-domains un
|
||||
|
||||
|
||||
## Portal communication issues
|
||||
If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are whitelisted and open for communciation.
|
||||
If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are whitelisted and open for communication.
|
||||
|
||||
- `*.blob.core.windows.net
|
||||
crl.microsoft.com`
|
||||
@ -89,4 +89,4 @@ crl.microsoft.com`
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Validate licensing provisioning and complete setup for Microsoft Defender ATP](licensing.md)
|
||||
- [Validate licensing provisioning and complete setup for Microsoft Defender ATP](licensing.md)
|
||||
|
||||
@ -13,7 +13,7 @@ author: denisebmsft
|
||||
ms.author: deniseb
|
||||
ms.custom: nextgen
|
||||
audience: ITPro
|
||||
ms.date: 01/06/2020
|
||||
ms.date: 02/12/2020
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
---
|
||||
@ -45,11 +45,11 @@ The next major version of Microsoft Edge, which is Chromium-based, blocks potent
|
||||
|
||||
#### Enable PUA protection in Chromium-based Microsoft Edge
|
||||
|
||||
Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is turned off by default, it can easily be turned on from within the browser.
|
||||
Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser.
|
||||
|
||||
1. From the tool bar, select **Settings and more** > **Settings**.
|
||||
1. Select the ellipses, and then choose **Settings**.
|
||||
2. Select **Privacy and services**.
|
||||
3. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off.
|
||||
3. Under the **Services** section, turn on **Block potentially unwanted apps**.
|
||||
|
||||
> [!TIP]
|
||||
> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/).
|
||||
|
||||
@ -91,7 +91,7 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
|
||||
|
||||
- Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
|
||||
- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.)
|
||||
- Your Windows machines must be running Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.)
|
||||
- Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.)
|
||||
- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
|
||||
- Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).)
|
||||
|
||||
@ -119,7 +119,7 @@ Here's what you see in the Windows Security app:
|
||||
|
||||
### Are you using Windows OS 1709, 1803, or 1809?
|
||||
|
||||
If you are using Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled.
|
||||
If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled.
|
||||
|
||||
#### Use PowerShell to determine whether tamper protection is turned on
|
||||
|
||||
@ -155,7 +155,7 @@ To learn more about Threat & Vulnerability Management, see [Threat & Vulnerabili
|
||||
|
||||
### To which Windows OS versions is configuring tamper protection is applicable?
|
||||
|
||||
Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
|
||||
Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
|
||||
|
||||
### Is configuring tamper protection in Intune supported on servers?
|
||||
|
||||
|
||||
@ -83,7 +83,7 @@ To trust a subdomain, you must precede your domain with two dots, for example: `
|
||||
|
||||
### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
|
||||
|
||||
When using Windows Pro and Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard).
|
||||
When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard).
|
||||
|
||||
### Is there a size limit to the domain lists that I need to configure?
|
||||
|
||||
|
||||
@ -8,7 +8,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: denisebmsft
|
||||
ms.author: deniseb
|
||||
ms.date: 11/09/2017
|
||||
ms.date: 02/11/2020
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.custom: asr
|
||||
@ -42,3 +42,4 @@ Your environment needs the following software to run Windows Defender Applicatio
|
||||
|Operating system|Windows 10 Enterprise edition, version 1709 or higher<br>Windows 10 Professional edition, version 1803 or higher<br>Windows 10 Professional for Workstations edition, version 1803 or higher<br>Windows 10 Professional Education edition version 1803 or higher<br>Windows 10 Education edition, version 1903 or higher<br>Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. |
|
||||
|Browser|Microsoft Edge and Internet Explorer|
|
||||
|Management system<br> (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)<br><br>**-OR-**<br><br>[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/)<br><br>**-OR-**<br><br>[Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
|
||||
|Windows Defender Exploit Protection settings|The following settings should be configured or verified in the **Windows Security** app under **App & browser control** > **Exploit protection** > **Exploit protection settings** > **System Settings**.<br><br>**Control flow guard (CFG)** must be set to **Use default (On)** or **Off by default**. If set to **On by default**, [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard) will not launch.<br><br>**Randomize memory allocations (Bottom-up ASLR)** must be set to **Use default (On)** or **Off by default**. If set to "On by default", the `Vmmem` process will have high CPU utilization while a Windows Defender Application Guard window is open.|
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user