From c4e05bee82eba5736e53e971e2433929df88ec2c Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 4 Jan 2021 13:03:43 +0500 Subject: [PATCH 01/29] Procedural Changes An unnecessary step was added in the procedure and has been removed. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8408 --- .../mac-jamfpro-policies.md | 38 +++++++++---------- 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md index 5faeec9c8d..f1017e4215 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md @@ -750,18 +750,14 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![Image of configuration settings](images/990742cd9a15ca9fdd37c9f695d1b9f4.png) -4. Navigate to **Advanced Computer Searches**. - - ![A screenshot of a social media post Description automatically generated](images/95313facfdd5e1ea361981e0a2478fec.png) - -5. Select **Computer Management**. +4. Select your computer and click the gear icon on the top, select **Computer Management** ![Image of configuration settings](images/b6d671b2f18b89d96c1c8e2ea1991242.png) -6. In **Packages**, select **+ New**. +5. In **Packages**, select **+ New**. ![A picture containing bird Description automatically generated](images/57aa4d21e2ccc65466bf284701d4e961.png) -7. In **New Package** Enter the following details: +6. In **New Package** Enter the following details: **General tab** - Display Name: Leave it blank for now. Because it will be reset when you choose your pkg. @@ -774,15 +770,17 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![A screenshot of a computer screen Description automatically generated](images/1aa5aaa0a387f4e16ce55b66facc77d1.png) -8. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. +7. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. + **Manifest File** is not required. Microsoft Defender Advanced Threat Protection works without Manifest File. + **Options tab**
Keep default values. **Limitations tab**
Keep default values. ![Image of configuration settings](images/56dac54634d13b2d3948ab50e8d3ef21.png) -9. Select **Save**. The package is uploaded to Jamf Pro. +8. Select **Save**. The package is uploaded to Jamf Pro. ![Image of configuration settings](images/33f1ecdc7d4872555418bbc3efe4b7a3.png) @@ -790,45 +788,45 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![Image of configuration settings](images/1626d138e6309c6e87bfaab64f5ccf7b.png) -10. Navigate to the **Policies** page. +9. Navigate to the **Policies** page. ![Image of configuration settings](images/f878f8efa5ebc92d069f4b8f79f62c7f.png) -11. Select **+ New** to create a new policy. +10. Select **+ New** to create a new policy. ![Image of configuration settings](images/847b70e54ed04787e415f5180414b310.png) -12. In **General** Enter the following details: +11. In **General** Enter the following details: - Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later ![Image of configuration settings](images/625ba6d19e8597f05e4907298a454d28.png) -13. Select **Recurring Check-in**. +12. Select **Recurring Check-in**. ![Image of configuration settings](images/68bdbc5754dfc80aa1a024dde0fce7b0.png) -14. Select **Save**. +13. Select **Save**. -15. Select **Packages > Configure**. +14. Select **Packages > Configure**. ![Image of configuration settings](images/8fb4cc03721e1efb4a15867d5241ebfb.png) -16. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. +15. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. ![Image of configuration settings](images/526b83fbdbb31265b3d0c1e5fbbdc33a.png) -17. Select **Save**. +16. Select **Save**. ![Image of configuration settings](images/9d6e5386e652e00715ff348af72671c6.png) -18. Select the **Scope** tab. +17. Select the **Scope** tab. ![Image of configuration settings](images/8d80fe378a31143db9be0bacf7ddc5a3.png) -19. Select the target computers. +18. Select the target computers. ![Image of configuration settings](images/6eda18a64a660fa149575454e54e7156.png) @@ -844,7 +842,7 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![Image of configuration settings](images/c9f85bba3e96d627fe00fc5a8363b83a.png) -20. Select **Done**. +19. Select **Done**. ![Image of configuration settings](images/99679a7835b0d27d0a222bc3fdaf7f3b.png) From 8c4268ea229155638b6cb9a201fcaa9985a3a8ed Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 4 Jan 2021 13:33:46 +0500 Subject: [PATCH 02/29] Addition of a right A right was missing from the list. Added the basic info. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8551 --- .../security-policy-settings/user-rights-assignment.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md index 03d0a20cf4..6074db6073 100644 --- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md +++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md @@ -69,6 +69,7 @@ The following table links to each security policy setting and provides the const | [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege| | [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege| | [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege| +| [Obtain an impersonation token for another user in the same session]) | SeDelegateSessionUserImpersonatePrivilege| | [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege| | [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege| | [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege| @@ -78,6 +79,7 @@ The following table links to each security policy setting and provides the const | [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege| | [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege| | [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege| + ## Related topics From 053da0a6581a34a3d11ed9fe2f0c921bc4725ab5 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 4 Jan 2021 09:09:40 -0700 Subject: [PATCH 03/29] Update windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/mac-jamfpro-policies.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md index f1017e4215..961a958e6f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md @@ -750,7 +750,7 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![Image of configuration settings](images/990742cd9a15ca9fdd37c9f695d1b9f4.png) -4. Select your computer and click the gear icon on the top, select **Computer Management** +4. Select your computer and click the gear icon at the top, then select **Computer Management**. ![Image of configuration settings](images/b6d671b2f18b89d96c1c8e2ea1991242.png) @@ -851,4 +851,3 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint - From 7682c17362d6802ae7a7019d280feb3a5263afd1 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 4 Jan 2021 09:22:32 -0700 Subject: [PATCH 04/29] Update windows/security/threat-protection/security-policy-settings/user-rights-assignment.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../security-policy-settings/user-rights-assignment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md index 6074db6073..656b0c378b 100644 --- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md +++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md @@ -69,7 +69,7 @@ The following table links to each security policy setting and provides the const | [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege| | [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege| | [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege| -| [Obtain an impersonation token for another user in the same session]) | SeDelegateSessionUserImpersonatePrivilege| +| [Obtain an impersonation token for another user in the same session](impersonate-a-client-after-authentication.md) | SeDelegateSessionUserImpersonatePrivilege| | [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege| | [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege| | [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege| From 500fd2c72ee5fa5d5ce00dbe699dabac111a77e3 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 12 Jan 2021 10:50:21 +0500 Subject: [PATCH 05/29] Update use-vamt-in-windows-powershell.md --- .../volume-activation/use-vamt-in-windows-powershell.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index 7389bcd273..0fcb1ad99c 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -57,7 +57,7 @@ get-help get-VamtProduct -all ``` **Warning** -The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=242278). +The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/vamt). **To view VAMT PowerShell Help sections** From eb8843f637a817ceb46c8c58d9eb75c116ab8655 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 12 Jan 2021 11:59:56 +0500 Subject: [PATCH 06/29] Update hello-planning-guide.md --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 265aa7219d..fc57328704 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account (additional costs needed for multi-factor authentication). +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to have another subscription that includes Azure AD Multi-Factor Authentication license (like Microsoft 365), or use third-party Multi-Factor Authentication provider. If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From 7c7a13348fa00a44133e085964b25260ba80d04e Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 12 Jan 2021 14:37:28 +0500 Subject: [PATCH 07/29] Update windows/security/identity-protection/hello-for-business/hello-planning-guide.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index fc57328704..d99d54226f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to have another subscription that includes Azure AD Multi-Factor Authentication license (like Microsoft 365), or use third-party Multi-Factor Authentication provider. +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to have another subscription that includes an Azure AD Multi-Factor Authentication license (like Microsoft 365) or to use a third-party Multi-Factor Authentication provider. If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From 7ced57c6927538be4219721a78fa1d09b0eb879a Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 13 Jan 2021 07:23:37 +0500 Subject: [PATCH 08/29] Update hello-planning-guide.md --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index d99d54226f..ba1692b00e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to have another subscription that includes an Azure AD Multi-Factor Authentication license (like Microsoft 365) or to use a third-party Multi-Factor Authentication provider. +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to use a third-party Multi-Factor Authentication provider. If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From b83175dcb1eafe83648d424b07efa4bc40665622 Mon Sep 17 00:00:00 2001 From: msft-cjeich Date: Thu, 14 Jan 2021 12:17:20 -0800 Subject: [PATCH 09/29] Update web-content-filtering.md Text update to account for changes to our data provider. Also - 15 min for policy sync is incorrect. SLA should be 2hrs. Include other 3rd party browsers which NP supports. This is a server-side change which requires no client side changes. --- .../microsoft-defender-atp/web-content-filtering.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md index d8daf9644c..b6d259a0f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md @@ -32,7 +32,7 @@ Web content filtering is part of [Web protection](web-protection-overview.md) ca Configure policies across your device groups to block certain categories. Blocking a category prevents users within specified device groups from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited. Your users can access the URLs without disruption, and you'll gather access statistics to help create a more custom policy decision. Your users will see a block notification if an element on the page they're viewing is making calls to a blocked resource. -Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome and Firefox). For more information about browser support, see the prerequisites section. +Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome, Firefox, Brave and Opera). For more information about browser support, see the prerequisites section. Summarizing the benefits: @@ -42,7 +42,7 @@ Summarizing the benefits: ## User experience -The blocking experience for Chrome/Firefox is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection. +The blocking experience for 3rd party supported browsers is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection. For a more user-friendly in-browser experience, consider using Microsoft Edge. @@ -54,11 +54,11 @@ Before trying out this feature, make sure you have the following requirements: - Access to Microsoft Defender Security Center portal - Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update. -If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. +If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. Chrome, Firefox, Brave and Opera are currently 3rd party browsers in which the feature is enabled. ## Data handling -We will follow whichever region you have elected to use as part of your [Microsoft Defender for Endpoint data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds. +We will follow whichever region you have elected to use as part of your [Microsoft Defender for Endpoint data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. ## Turn on web content filtering @@ -78,7 +78,7 @@ To add a new policy: 2. Specify a name. 3. Select the categories to block. Use the expand icon to fully expand each parent category and select specific web content categories. 4. Specify the policy scope. Select the device groups to specify where to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories. -5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected devices. +5. Review the summary and save the policy. The policy refresh may take up to 2 hours to apply to your selected devices. Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy. @@ -138,7 +138,7 @@ Use the time range filter at the top left of the page to select a time period. Y ### Limitations and known issues in this preview -- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across Chrome/Firefox. +- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across supported 3rd party browsers. - Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts. From 5893f5768835f358ad7dae1824a2cbaa12a1975c Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 17 Jan 2021 14:42:06 +0500 Subject: [PATCH 10/29] Update windows/security/identity-protection/hello-for-business/hello-planning-guide.md Co-authored-by: mapalko --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index ba1692b00e..8570ec4a63 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to use a third-party Multi-Factor Authentication provider. +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multifactor Authentication through the use of security defaults. Some Azure AD Multifactor Authentication features require a license. For more details see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing) If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From 97136cf8c9ec2eba91ce0020b387d55baaeb0532 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 17 Jan 2021 14:47:53 +0500 Subject: [PATCH 11/29] Update hello-planning-guide.md --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 8570ec4a63..449642dfe7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multifactor Authentication through the use of security defaults. Some Azure AD Multifactor Authentication features require a license. For more details see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing) +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing) If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From 2614a6dcebeef0d92a5c8245e4b797048e11cc14 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 20 Jan 2021 18:33:17 +0500 Subject: [PATCH 12/29] Update windows/security/identity-protection/hello-for-business/hello-planning-guide.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 449642dfe7..0c252830e7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing) +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details, see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing). If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From 576057ec5bce89bcafe9d656d7ba013088bbf163 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 20 Jan 2021 18:36:10 +0500 Subject: [PATCH 13/29] Update hello-planning-guide.md --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 0c252830e7..cb3a0081f2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details, see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing). +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details, see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing). If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From 4d281e31d100e182c94040de6bbde8ee1a8202b9 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Thu, 21 Jan 2021 12:54:14 -0800 Subject: [PATCH 14/29] Update waas-delivery-optimization.md Add Edge browser support to content type table. --- windows/deployment/update/waas-delivery-optimization.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index de5f866595..7337c717c1 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -65,7 +65,7 @@ For information about setting up Delivery Optimization, including tips for the b - Office installations and updates - Xbox game pass games - MSIX apps (HTTP downloads only) - - Edge browser installations and updates + - Edge browser installs and updates ## Requirements @@ -90,7 +90,8 @@ The following table lists the minimum Windows 10 version that supports Delivery | Win32 apps for Intune | 1709 | | Xbox game pass games | 2004 | | MSIX apps (HTTP downloads only) | 2004 | -| Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 | +| Configuration Manager Express updates | 1709 + Configuration Manager version 1711 | +| Edge browser installs and updates | 1809 | > [!NOTE] > Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910). From 1e96248e32a1da6172b1b24587481405dba6c81c Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Thu, 21 Jan 2021 20:01:51 -0800 Subject: [PATCH 15/29] Update waas-delivery-optimization.md Add Dynamic updates support --- windows/deployment/update/waas-delivery-optimization.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 7337c717c1..599fd37ab1 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -62,10 +62,11 @@ For information about setting up Delivery Optimization, including tips for the b - DOMaxUploadBandwidth - Support for new types of downloads: - - Office installations and updates + - Office installs and updates - Xbox game pass games - MSIX apps (HTTP downloads only) - Edge browser installs and updates + - Dynamic updates ## Requirements @@ -92,6 +93,7 @@ The following table lists the minimum Windows 10 version that supports Delivery | MSIX apps (HTTP downloads only) | 2004 | | Configuration Manager Express updates | 1709 + Configuration Manager version 1711 | | Edge browser installs and updates | 1809 | +| Dynamic updates | 1903 | > [!NOTE] > Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910). From 244dc8bbb5d5464dea2fe6390c906766bc36e622 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Fri, 22 Jan 2021 13:09:33 -0800 Subject: [PATCH 16/29] Update waas-delivery-optimization.md Add link to Dynamic Updates blog post. --- windows/deployment/update/waas-delivery-optimization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 599fd37ab1..bbafcf8b44 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -66,7 +66,7 @@ For information about setting up Delivery Optimization, including tips for the b - Xbox game pass games - MSIX apps (HTTP downloads only) - Edge browser installs and updates - - Dynamic updates + - [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) ## Requirements @@ -93,7 +93,7 @@ The following table lists the minimum Windows 10 version that supports Delivery | MSIX apps (HTTP downloads only) | 2004 | | Configuration Manager Express updates | 1709 + Configuration Manager version 1711 | | Edge browser installs and updates | 1809 | -| Dynamic updates | 1903 | +| [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) | 1903 | > [!NOTE] > Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910). From 463b8b0f8cf8d6b1066728d21cb4b34138608a98 Mon Sep 17 00:00:00 2001 From: Rick Munck <33725928+jmunck@users.noreply.github.com> Date: Mon, 25 Jan 2021 10:13:26 -0600 Subject: [PATCH 17/29] Update security-compliance-toolkit-10.md Removed 1709 as we dont support it any longer and pulled it from the DLC --- .../security/threat-protection/security-compliance-toolkit-10.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index fd8ba1f7f9..509869f9e5 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -34,7 +34,6 @@ The Security Compliance Toolkit consists of: - Windows 10 Version 1903 (May 2019 Update) - Windows 10 Version 1809 (October 2018 Update) - Windows 10 Version 1803 (April 2018 Update) - - Windows 10 Version 1709 (Fall Creators Update) - Windows 10 Version 1607 (Anniversary Update) - Windows 10 Version 1507 From f8e3f311ae43ba2b3c195b8c4a5c48b54c9c4869 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 25 Jan 2021 21:17:00 +0500 Subject: [PATCH 18/29] Update mandatory-settings-for-wip.md --- .../mandatory-settings-for-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index eb25f0556d..bf2e926154 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -28,7 +28,7 @@ This list provides all of the tasks and settings that are required for the opera |Task|Description| |----|-----------| |Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.| -|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| +|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.

Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.| |Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.

Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.| From 18bbbe6262a11c530e44a23e596395aaa921f787 Mon Sep 17 00:00:00 2001 From: Jeff Gilbert Date: Mon, 25 Jan 2021 17:58:10 -0500 Subject: [PATCH 19/29] Update create-wip-policy-using-intune-azure.md Updated per request from PM (dereka). --- .../create-wip-policy-using-intune-azure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index f36275b6ba..19f213f47f 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -444,7 +444,7 @@ To stop Windows from automatically blocking these connections, you can add the ` For example: ```console -URL <,proxy>|URL <,proxy>/*AppCompat*/ +URL <,proxy>|URL <,proxy>|/*AppCompat*/ ``` When you use this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. From 285c15d89bcdbc854e1d7bd5fe8c1de59454cf6a Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 25 Jan 2021 17:12:21 -0800 Subject: [PATCH 20/29] Update windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/web-content-filtering.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md index b6d259a0f2..87f0151c05 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md @@ -54,7 +54,7 @@ Before trying out this feature, make sure you have the following requirements: - Access to Microsoft Defender Security Center portal - Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update. -If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. Chrome, Firefox, Brave and Opera are currently 3rd party browsers in which the feature is enabled. +If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. Chrome, Firefox, Brave, and Opera are currently 3rd party browsers in which this feature is enabled. ## Data handling From 74cb283b850d34b520e224c3427a835072f062bd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 08:56:15 -0800 Subject: [PATCH 21/29] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 9e49265a2f..d895dbaa84 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 01/25/2021 +ms.date: 01/26/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -35,7 +35,7 @@ In endpoint protection, a false positive is an entity, such as a file or a proce 1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts) 2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) -3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions-for-microsoft-defender-for-endpoint) +3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions) 4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) 5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) 6. [Getting help if you still have issues with false positives/negatives](#still-need-help) @@ -131,7 +131,7 @@ If you find that a remediation action was taken automatically on an entity that 2. On the **History** tab, select the actions that you want to undo. 3. In the pane on the right side of the screen, select **Undo**. -## Part 3: Review or define exclusions for Microsoft Defender for Endpoint +## Part 3: Review or define exclusions An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. From 9570f49f975fab39c28c729a2aaa0ecef3cfe3d6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:08:43 -0800 Subject: [PATCH 22/29] crosslinking --- .../antivirus-false-positives-negatives.md | 7 ++++++- .../microsoft-defender-antivirus-compatibility.md | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md index 099dbc450f..e99e915192 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 06/08/2020 +ms.date: 01/26/2021 ms.reviewer: shwetaj manager: dansimp audience: ITPro @@ -35,6 +35,9 @@ What if something gets detected wrongly as malware, or something is missed? We c - [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring) - [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned) +> [!TIP] +> This article focuses on false positives in Microsoft Defender Antivirus. If you want guidance for Microsoft Defender for Endpoint, which includes next-generation protection, endpoint detection and response, automated investigation and remediation, and more, see [Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md). + ## Submit a file to Microsoft for analysis 1. Review the [submission guidelines](../intelligence/submission-guide.md). @@ -76,3 +79,5 @@ To learn more, see: [What is Microsoft Defender for Endpoint?](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) + +[Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 7a74769372..ad505f776b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -122,4 +122,5 @@ The table in this section summarizes the functionality and features that are ava - [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server-2016.md) - [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) +- [Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md) - [Learn about Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) From 79733d6899e099c607c3c2cfac9b538d7ed473e0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:10:21 -0800 Subject: [PATCH 23/29] Update automated-investigations.md --- .../microsoft-defender-atp/automated-investigations.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 4233bcca90..93e3809c2a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -93,5 +93,6 @@ All remediation actions, whether pending or completed, can be viewed in the [Act ## See also - [PUA protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) - [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) - [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir) From c067a53cca66b8ef72f63d94c56a31f155531c38 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:11:50 -0800 Subject: [PATCH 24/29] Update helpful-resources.md --- .../helpful-resources.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md index 7d275ab90b..fd973e1a2a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md @@ -29,31 +29,31 @@ ms.technology: mde Access helpful resources such as links to blogs and other resources related to Microsoft Defender for Endpoint. ## Endpoint protection platform -- [Top scoring in industry +- [Top scoring in industry tests](https://docs.microsoft.com/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests) -- [Inside out: Get to know the advanced technologies at the core of Defender for Endpoint next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/) +- [Inside out: Get to know the advanced technologies at the core of Defender for Endpoint next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/) -- [Protecting disconnected devices with Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341) +- [Protecting disconnected devices with Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341) -- [Tamper protection in Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571) +- [Tamper protection in Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571) ## Endpoint Detection Response -- [Incident response at your fingertips with Defender for Endpoint live response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894) +- [Incident response at your fingertips with Defender for Endpoint live response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894) ## Threat Vulnerability Management -- [Defender for Endpoint Threat & Vulnerability Management now publicly +- [Defender for Endpoint Threat & Vulnerability Management now publicly available!](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/MDATP-Threat-amp-Vulnerability-Management-now-publicly-available/ba-p/460977) ## Operational -- [The Golden Hour remake - Defining metrics for a successful security +- [The Golden Hour remake - Defining metrics for a successful security operations](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/The-Golden-Hour-remake-Defining-metrics-for-a-successful/ba-p/782014) -- [Defender for Endpoint Evaluation lab is now available in public preview +- [Defender for Endpoint Evaluation lab is now available in public preview ](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-Evaluation-lab-is-now-available-in-public/ba-p/770271) -- [How automation brings value to your security +- [How automation brings value to your security teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297) From 8c381211d597a1727bfdf4afcb05e1874ec85404 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:13:01 -0800 Subject: [PATCH 25/29] Update helpful-resources.md --- .../microsoft-defender-atp/helpful-resources.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md index fd973e1a2a..88e26c2252 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md @@ -57,3 +57,5 @@ Access helpful resources such as links to blogs and other resources related to - [How automation brings value to your security teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297) + +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) \ No newline at end of file From e3fb119c6451ff8e454050d406126460f245ef88 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:14:47 -0800 Subject: [PATCH 26/29] Update manage-atp-post-migration.md --- .../microsoft-defender-atp/manage-atp-post-migration.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md index 2cb0d3548e..efb39aa306 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md @@ -18,7 +18,7 @@ ms.collection: - M365-security-compliance - m365solution-scenario ms.topic: conceptual -ms.date: 09/22/2020 +ms.date: 01/26/2021 ms.reviewer: chventou --- @@ -43,3 +43,6 @@ The following table lists various tools/methods you can use, with links to learn |**[Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy)** |[Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs).

See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md). | |**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)** |*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.*

You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell).

You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi).

You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe). | +## See also + +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) \ No newline at end of file From 92f0b61c0674ae8e52cab1d67873b1ad9594da14 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:23:40 -0800 Subject: [PATCH 27/29] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d895dbaa84..217c0ca4ff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -307,6 +307,9 @@ Depending on the [level of automation](https://docs.microsoft.com/windows/securi - [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then - [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation). +> [!TIP] +> We recommend using *Full automation* for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use ["allow" indicators to define exceptions](#indicators-for-microsoft-defender-for-endpoint), and keep automated investigation and remediation set to take appropriate actions automatically. Following [this guidance](automation-levels.md#levels-of-automation) helps reduce the number of alerts your security operations team must handle. + ## Still need help? From 99ddcfab0a6114688c9433efb418c6f987d0a1c8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:31:20 -0800 Subject: [PATCH 28/29] Update auto-investigation-action-center.md --- .../microsoft-defender-atp/auto-investigation-action-center.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index e929d6e210..0fb359840a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -170,3 +170,6 @@ When you click on the pending actions link, you'll be taken to the Action center - [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide) +## See also + +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) \ No newline at end of file From 0ee619b4fcec0cb7011e5cf4f1e882a75be2b3b0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 10:22:42 -0800 Subject: [PATCH 29/29] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 0304cdd397..75f4bba554 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -15,7 +15,7 @@ ms.localizationpriority: medium ms.custom: - next-gen - edr -ms.date: 01/07/2021 +ms.date: 01/26/2021 ms.collection: - m365-security-compliance - m365initiative-defender-endpoint @@ -70,7 +70,7 @@ The following image shows an instance of unwanted software that was detected and |Requirement |Details | |---------|---------| |Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | -|Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later | +|Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server, version 1803 or newer
- Windows Server 2019 | |Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering

See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | |Microsoft Defender Antivirus |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode). | |Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). |