Merging changes synced from https://github.com/MicrosoftDocs/windows-docs-pr (branch live)

2025-06-22 05:43:41 +00:00 · 2020-01-31 23:54:28 +00:00
parent fd381976ba 6b9925eb7d
commit 27f74cb32f
14 changed files with 189 additions and 80 deletions
--- a/windows/security/identity-protection/hello-for-business/hello-faq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.md
@ -30,8 +30,8 @@ Microsoft is committed to its vision of a <u>world without passwords.</u> We rec
 ## Can I use Windows Hello for Business key trust and RDP?
 RDP currently does not support key based authentication and does not support self signed certificates. RDP with Windows Hello for Business is currently only supported with certificate based deployments.

-## Can I deploy Windows Hello for Business using System Center Configuration Manager?
-Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no longer be supported after November 2018.
+## Can I deploy Windows Hello for Business using Microsoft Endpoint Configuration Manager?
+Windows Hello for Business deployments using Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using Configuration Manager will no longer be supported after November 2018.

 ## How many users can enroll for Windows Hello for Business on a single Windows 10 computer?
 The maximum number of supported enrollments on a single Windows 10 computer is 10.  That enables 10 users to each enroll their face and up to 10 fingerprints.  While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available.
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@ -162,7 +162,7 @@ Primarily for large enterprise organizations with more complex authentication re
 For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:
 - IT departments to manage work-owned devices from a central location.
 - Users to sign in to their devices with their Active Directory work or school accounts. 
-Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use System Center Configuration Manager (SCCM) or group policy (GP) to manage them.
+Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use Microsoft Endpoint Configuration Manager or group policy (GP) to manage them.

 If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory.

--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
@ -80,6 +80,18 @@ Specify whether the antivirus engine runs in passive mode. Passive mode has the
 | **Possible values** | false (default) <br/> true |
 | **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. |

+#### Exclusion merge policy
+
+Specify the merge policy for exclusions. This can be a combination of administrator-defined and user-defined exclusions (`merge`) or only administrator-defined exclusions (`admin_only`). This setting can be used to restrict local users from defining their own exclusions.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | exclusionsMergePolicy |
+| **Data type** | String |
+| **Possible values** | merge (default) <br/> admin_only |
+| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+
 #### Scan exclusions

 Specify entities excluded from being scanned. Exclusions can be specified by full paths, extensions, or file names.
@ -160,6 +172,18 @@ Specify threats by name that are not blocked by Microsoft Defender ATP for Mac.
 | **Key** | allowedThreats |
 | **Data type** | Array of strings |

+#### Disallowed threat actions
+
+Restricts the actions that the local user of a device can take when threats are detected. The actions included in this list are not displayed in the user interface.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | disallowedThreatActions |
+| **Data type** | Array of strings |
+| **Possible values** | allow (restricts users from allowing threats) <br/> restore (restricts users from restoring threats from the quarantine) |
+| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+
 #### Threat type settings

 Specify how certain threat types are handled by Microsoft Defender ATP for Mac.
@ -197,6 +221,18 @@ Specify what action to take when a threat of the type specified in the preceding
 | **Data type** | String |
 | **Possible values** | audit (default) <br/> block <br/> off |

+#### Threat type settings merge policy
+
+Specify the merge policy for threat type settings. This can be a combination of administrator-defined and user-defined settings (`merge`) or only administrator-defined settings (`admin_only`). This setting can be used to restrict local users from defining their own settings for different threat types.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | threatTypeSettingsMergePolicy |
+| **Data type** | String |
+| **Possible values** | merge (default) <br/> admin_only |
+| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+
 ### Cloud-delivered protection preferences

 Configure the cloud-driven protection features of Microsoft Defender ATP for Mac.
@ -483,10 +519,17 @@ The following configuration profile contains entries for all settings described
                <string>pdf</string>
            </dict>
        </array>
+        <key>exclusionsMergePolicy</key>
+        <string>merge</string>
        <key>allowedThreats</key>
        <array>
            <string>EICAR-Test-File (not a virus)</string>
        </array>
+        <key>disallowedThreatActions</key>
+        <array>
+            <string>allow</string>
+            <string>restore</string>
+        </array>
        <key>threatTypeSettings</key>
        <array>
            <dict>
@ -502,6 +545,8 @@ The following configuration profile contains entries for all settings described
                <string>audit</string>
            </dict>
        </array>
+        <key>threatTypeSettingsMergePolicy</key>
+        <string>merge</string>
    </dict>
    <key>cloudService</key>
    <dict>
@ -594,10 +639,17 @@ The following configuration profile contains entries for all settings described
                            <string>pdf</string>
                        </dict>
                    </array>
+                    <key>exclusionsMergePolicy</key>
+                    <string>merge</string>
                    <key>allowedThreats</key>
                    <array>
                        <string>EICAR-Test-File (not a virus)</string>
                    </array>
+                    <key>disallowedThreatActions</key>
+                    <array>
+                        <string>allow</string>
+                        <string>restore</string>
+                    </array>
                    <key>threatTypeSettings</key>
                    <array>
                        <dict>
@ -613,6 +665,8 @@ The following configuration profile contains entries for all settings described
                            <string>audit</string>
                        </dict>
                    </array>
+                    <key>threatTypeSettingsMergePolicy</key>
+                    <string>merge</string>
                </dict>
                <key>cloudService</key>
                <dict>
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@ -19,6 +19,12 @@ ms.topic: conceptual

 # What's new in Microsoft Defender Advanced Threat Protection for Mac

+## 100.83.73
+
+- Added more controls for IT administrators around [management of exclusions](mac-preferences.md#exclusion-merge-policy), [management of threat type settings](mac-preferences.md#threat-type-settings-merge-policy), and [disallowed threat actions](mac-preferences.md#disallowed-threat-actions)
+- When Full Disk Access is not enabled on the device, a warning is now displayed in the status menu
+- Performance improvements & bug fixes
+
 ## 100.82.60

 - Addressed an issue where the product fails to start following a definition update.
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
@ -29,7 +29,7 @@ See [Configure device restriction settings in Microsoft Intune](https://docs.mic

 <a id="ref1"></a>

-## Use Configuration Manager to configure scanning options:
+## Use Microsoft Endpoint Configuration Manager to configure scanning options:

 See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch).