From 06ecbe549f74f2fee4abe46cfe7be822916ad2ef Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 7 Feb 2020 18:36:30 +0500 Subject: [PATCH 01/14] Addition of comments As requested by user comments has been updated to improve the structure of HTML of the document. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4918 --- .../client-management/mdm/bitlocker-csp.md | 213 ++++++++++++------ 1 file changed, 148 insertions(+), 65 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 82139a98a6..746ef380c5 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -31,12 +31,15 @@ The following diagram shows the BitLocker configuration service provider in tree ![BitLocker csp](images/provisioning-csp-bitlocker.png) + **./Device/Vendor/MSFT/BitLocker** Defines the root node for the BitLocker configuration service provider. - + **RequireStorageCardEncryption** + Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU. - + + @@ -57,12 +60,13 @@ Allows the administrator to require storage card encryption on the device. This
Homecheck mark
+ Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on. - + - 0 (default) – Storage cards do not need to be encrypted. - 1 – Require storage cards to be encrypted. - + Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on. If you want to disable this policy use the following SyncML: @@ -87,11 +91,13 @@ If you want to disable this policy use the following SyncML: ``` Data type is integer. Supported operations are Add, Get, Replace, and Delete. - + + **RequireDeviceEncryption** - + Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption. - + + @@ -112,7 +118,7 @@ Allows the administrator to require encryption to be turned on by using BitLocke
Homecheck mark
- + Data type is integer. Sample value for this node to enable this policy: 1. Supported operations are Add, Get, Replace, and Delete. @@ -126,12 +132,12 @@ Encryptable fixed data volumes are treated similarly to OS volumes. However, fix - It must not be a system partition. - It must not be backed by virtual storage. - It must not have a reference in the BCD store. - + The following list shows the supported values: - 0 (default) — Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes. - 1 – Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy). - + If you want to disable this policy, use the following SyncML: ```xml @@ -152,10 +158,13 @@ If you want to disable this policy, use the following SyncML: ``` - + + **EncryptionMethodByDriveType** - -Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)". + +Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)". + + @@ -176,6 +185,8 @@ Allows you to set the default encryption method for each of the different drive
Homecross mark
+ + ADMX Info: - + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -202,14 +213,14 @@ If you disable or do not configure this policy setting, BitLocker will use the d EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives. EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives. - + The possible values for 'xx' are: - 3 = AES-CBC 128 - 4 = AES-CBC 256 - 6 = XTS-AES 128 - 7 = XTS-AES 256 - + > [!NOTE] > When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status. @@ -231,9 +242,13 @@ EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for remov ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. - + + **SystemDrivesRequireStartupAuthentication** + This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup". + + @@ -254,6 +269,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Require add
Homecross mark
+ + ADMX Info: - + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -297,7 +314,7 @@ Data id:
  • ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN.
  • ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.
    • - + The possible values for 'xx' are: - + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml @@ -328,9 +345,13 @@ Disabling the policy will let the system choose the default behaviors. If you wa ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. - + + **SystemDrivesMinimumPINLength** + This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup". + + @@ -351,6 +372,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Configure m
    Homecross mark
    + + ADMX Info: - + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -397,9 +420,14 @@ Disabling the policy will let the system choose the default behaviors. If you wa ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. - -**SystemDrivesRecoveryMessage** -This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name). + + +**SystemDrivesRecoveryMessage** + +This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" +(PrebootRecoveryInfo_Name). + + @@ -420,6 +448,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Configure p
    Homecross mark
    + + ADMX Info: - + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -445,6 +475,7 @@ Sample value for this node to enable this policy is: ```xml ``` + The possible values for 'xx' are: - 0 = Empty @@ -453,7 +484,7 @@ The possible values for 'xx' are: - 3 = Custom recovery URL is set. - 'yy' = string of max length 900. - 'zz' = string of max length 500. - + > [!NOTE] > When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status. @@ -478,9 +509,13 @@ Disabling the policy will let the system choose the default behaviors. If you w > Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen. Data type is string. Supported operations are Add, Get, Replace, and Delete. - + + **SystemDrivesRecoveryOptions** + This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name). + + @@ -501,6 +536,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Choose how
    Homecross mark
    + + ADMX Info:
    • GP English name: Choose how BitLocker-protected operating system drives can be recovered
      • @@ -508,7 +545,7 @@ ADMX Info:
    • GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
    • GP ADMX file name: VolumeEncryption.admx
    - + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -536,7 +573,7 @@ Sample value for this node to enable this policy is: ```xml ``` - + The possible values for 'xx' are: - true = Explicitly allow - false = Policy not set @@ -549,7 +586,7 @@ The possible values for 'yy' are: The possible values for 'zz' are: - 2 = Store recovery passwords only - 1 = Store recovery passwords and key packages - + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml @@ -568,9 +605,13 @@ Disabling the policy will let the system choose the default behaviors. If you wa ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. - + + **FixedDrivesRecoveryOptions** + This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (). + + @@ -591,6 +632,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Choose how
    Homecross mark
    + + ADMX Info:
    • GP English name: Choose how BitLocker-protected fixed drives can be recovered
      • @@ -598,7 +641,7 @@ ADMX Info:
    • GP path: Windows Components/Bitlocker Drive Encryption/Fixed Drives
    • GP ADMX file name: VolumeEncryption.admx
    - + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -627,7 +670,7 @@ Sample value for this node to enable this policy is: ```xml ``` - + The possible values for 'xx' are:
    • true = Explicitly allow
      • @@ -647,7 +690,7 @@ The possible values for 'zz' are:
    • 2 = Store recovery passwords only
    • 1 = Store recovery passwords and key packages
    - + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml @@ -666,9 +709,13 @@ Disabling the policy will let the system choose the default behaviors. If you wa ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. - + + **FixedDrivesRequireEncryption** + This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name). + + @@ -689,6 +736,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Deny write
    Homecross mark
    + + ADMX Info:
    • GP English name: Deny write access to fixed drives not protected by BitLocker
      • @@ -696,7 +745,7 @@ ADMX Info:
    • GP path: Windows Components/Bitlocker Drive Encryption/Fixed Drives
    • GP ADMX file name: VolumeEncryption.admx
    - + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -728,9 +777,13 @@ If you disable or do not configure this setting, all fixed data drives on the co ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. - + + **RemovableDrivesRequireEncryption** + This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name). + + @@ -751,6 +804,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Deny write
    Homecross mark
    + + ADMX Info:
    • GP English name: Deny write access to removable drives not protected by BitLocker
      • @@ -758,7 +813,7 @@ ADMX Info:
    • GP path: Windows Components/Bitlocker Drive Encryption/Removeable Drives
    • GP ADMX file name: VolumeEncryption.admx
    - + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -777,13 +832,13 @@ Sample value for this node to enable this policy is: ```xml ``` - + The possible values for 'xx' are:
    • true = Explicitly allow
    • false = Policy not set
    - + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml @@ -800,17 +855,18 @@ Disabling the policy will let the system choose the default behaviors. If you wa ``` - + + **AllowWarningForOtherDiskEncryption** - + Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1. - + > [!IMPORTANT] > Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview). > [!Warning] > When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows. - + @@ -831,12 +887,13 @@ Allows the admin to disable the warning prompt for other disk encryption on the
    Homecross mark
    - + + The following list shows the supported values: - 0 – Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0. - 1 (default) – Warning prompt allowed. - + ```xml 110 @@ -861,22 +918,24 @@ The following list shows the supported values: >3. The user's personal OneDrive (MDM/MAM only). > >Encryption will wait until one of these three locations backs up successfully. - -**AllowStandardUserEncryption** + + +**AllowStandardUserEncryption** + Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account. - + > [!NOTE] > This policy is only supported in Azure AD accounts. "AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced. If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system. - + The expected values for this policy are: - 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. - 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive. - + If you want to disable this policy use the following SyncML: ```xml @@ -893,9 +952,13 @@ If you want to disable this policy use the following SyncML: ``` - + + **ConfigureRecoveryPasswordRotation** + This setting initiates a client-driven recovery password refresh after an OS drive recovery (either by using bootmgr or WinRE) and recovery password unlock on a Fixed data drive. This setting will refresh the specific recovery password that was used, and other unused passwords on the volume will remain unchanged. If the initialization of the refresh fails, the device will retry the refresh during the next reboot. When password refresh is initiated, the client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. After the recovery password has been successfully backed up to Azure AD, the recovery key that was used locally will be removed. This setting refreshes only the used key and retains other unused keys. + + @@ -916,16 +979,20 @@ This setting initiates a client-driven recovery password refresh after an OS dri
    Homecross mark
    + Value type is int. Supported operations are Add, Delete, Get, and Replace. - + Supported values are: - 0 – Refresh off (default) - 1 – Refresh on for Azure AD-joined devices - 2 – Refresh on for both Azure AD-joined and hybrid-joined devices - + + + **RotateRecoveryPasswords** + This setting refreshes all recovery passwords for OS and fixed drives (removable drives are not included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. In case of errors, an error code will be returned so that server can take appropriate action to remediate. - + The client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. Policy type is Execute. When “Execute Policy” is pushed, the client sets the status as Pending and initiates an asynchronous rotation operation. After refresh is complete, pass or fail status is updated. The client will not retry, but if needed, the server can re-issue the execute request. @@ -937,6 +1004,7 @@ Recovery password refresh will only occur for devices that are joined to Azure A Each server-side recovery key rotation is represented by a request ID. The server can query the following nodes to make sure it reads status/result for same rotation request. - RotateRecoveryPasswordsRequestID: Returns request ID of last request processed. - RotateRecoveryPasswordsRotationStatus: Returns status of last request processed. + @@ -957,14 +1025,18 @@ Each server-side recovery key rotation is represented by a request ID. The serve
    Homecross mark
    + Value type is string. Supported operation is Execute. Request ID is expected as a parameter. **Status** Interior node. Supported operation is Get. - -**Status/DeviceEncryptionStatus** + + +**Status/DeviceEncryptionStatus** + This node reports compliance state of device encryption on the system. - + + @@ -985,22 +1057,26 @@ This node reports compliance state of device encryption on the system.
    Homecross mark
    - + + Supported values: - 0 - Indicates that the device is compliant. - Any other value represents a non-compliant device. - + Value type is int. Supported operation is Get. - + + **Status/RotateRecoveryPasswordsStatus** + This node reports the status of RotateRecoveryPasswords request. - + Status code can be one of the following: - 2 – Not started - 1 - Pending - 0 - Pass - Any other code - Failure HRESULT + @@ -1021,11 +1097,16 @@ Status code can be one of the following:
    Homecross mark
    + Value type is int. Supported operation is Get. - + + **Status/RotateRecoveryPasswordsRequestID** + This node reports the RequestID corresponding to RotateRecoveryPasswordsStatus. This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus to ensure the status is correctly matched to the request ID. + + @@ -1046,6 +1127,7 @@ This node needs to be queried in synchronization with RotateRecoveryPasswordsSta
    Homecross mark
    + Value type is string. Supported operation is Get. ### SyncML example @@ -1210,4 +1292,5 @@ The following example is provided to show proper format and should not be taken -``` \ No newline at end of file +``` + From 92a7ed8fd870ae6251f3d938d8b58865d0c5ff31 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 10 Feb 2020 09:05:43 +0500 Subject: [PATCH 02/14] Minor changes to adjust the Richtext Minor changes to adjust the Richtext --- windows/client-management/mdm/bitlocker-csp.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 746ef380c5..34121e6cc5 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -195,6 +195,7 @@ ADMX Info:
  • GP ADMX file name: VolumeEncryption.admx
    • + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -279,6 +280,7 @@ ADMX Info:
  • GP ADMX file name: VolumeEncryption.admx
    • + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -382,6 +384,7 @@ ADMX Info:
  • GP ADMX file name: VolumeEncryption.admx
    • + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -458,6 +461,7 @@ ADMX Info:
  • GP ADMX file name: VolumeEncryption.admx
    • + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -546,6 +550,7 @@ ADMX Info:
  • GP ADMX file name: VolumeEncryption.admx
    • + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -642,6 +647,7 @@ ADMX Info:
  • GP ADMX file name: VolumeEncryption.admx
    • + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -746,6 +752,7 @@ ADMX Info:
  • GP ADMX file name: VolumeEncryption.admx
    • + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -814,6 +821,7 @@ ADMX Info:
  • GP ADMX file name: VolumeEncryption.admx
    • + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). From 0f19b2686c14037121c1d3309e26f789f6c90850 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 10 Feb 2020 18:38:40 +0500 Subject: [PATCH 03/14] Changes to adjust the Richtext view difference. Changes to adjust the Richtext view difference. --- windows/client-management/mdm/bitlocker-csp.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 34121e6cc5..9244d5d9db 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -997,10 +997,14 @@ Supported values are: + **RotateRecoveryPasswords** + + This setting refreshes all recovery passwords for OS and fixed drives (removable drives are not included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. In case of errors, an error code will be returned so that server can take appropriate action to remediate. + The client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. Policy type is Execute. When “Execute Policy” is pushed, the client sets the status as Pending and initiates an asynchronous rotation operation. After refresh is complete, pass or fail status is updated. The client will not retry, but if needed, the server can re-issue the execute request. @@ -1074,10 +1078,13 @@ Supported values: Value type is int. Supported operation is Get. + **Status/RotateRecoveryPasswordsStatus** + This node reports the status of RotateRecoveryPasswords request. + Status code can be one of the following: - 2 – Not started @@ -1109,6 +1116,7 @@ Status code can be one of the following: Value type is int. Supported operation is Get. + **Status/RotateRecoveryPasswordsRequestID** This node reports the RequestID corresponding to RotateRecoveryPasswordsStatus. From 16ea53ec106378ef094b470f63ca820c8593e528 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 13 Feb 2020 11:23:48 +0500 Subject: [PATCH 04/14] Few fixes for Markdown Made a few changes to adjust the rich text difference. --- .../client-management/mdm/bitlocker-csp.md | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 9244d5d9db..6ba943ffca 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -911,7 +911,6 @@ The following list shows the supported values: int - 0 @@ -961,11 +960,16 @@ If you want to disable this policy use the following SyncML: ``` + + **ConfigureRecoveryPasswordRotation** + This setting initiates a client-driven recovery password refresh after an OS drive recovery (either by using bootmgr or WinRE) and recovery password unlock on a Fixed data drive. This setting will refresh the specific recovery password that was used, and other unused passwords on the volume will remain unchanged. If the initialization of the refresh fails, the device will retry the refresh during the next reboot. When password refresh is initiated, the client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. After the recovery password has been successfully backed up to Azure AD, the recovery key that was used locally will be removed. This setting refreshes only the used key and retains other unused keys. + + @@ -988,14 +992,19 @@ This setting initiates a client-driven recovery password refresh after an OS dri
    + Value type is int. Supported operations are Add, Delete, Get, and Replace. + + Supported values are: - 0 – Refresh off (default) - 1 – Refresh on for Azure AD-joined devices - 2 – Refresh on for both Azure AD-joined and hybrid-joined devices + + **RotateRecoveryPasswords** @@ -1038,11 +1047,14 @@ Each server-side recovery key rotation is represented by a request ID. The serve + Value type is string. Supported operation is Execute. Request ID is expected as a parameter. **Status** Interior node. Supported operation is Get. + + **Status/DeviceEncryptionStatus** @@ -1070,13 +1082,17 @@ This node reports compliance state of device encryption on the system. + Supported values: - 0 - Indicates that the device is compliant. - Any other value represents a non-compliant device. + Value type is int. Supported operation is Get. + + **Status/RotateRecoveryPasswordsStatus** @@ -1113,11 +1129,15 @@ Status code can be one of the following: + Value type is int. Supported operation is Get. + + **Status/RotateRecoveryPasswordsRequestID** + This node reports the RequestID corresponding to RotateRecoveryPasswordsStatus. This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus to ensure the status is correctly matched to the request ID. @@ -1143,7 +1163,9 @@ This node needs to be queried in synchronization with RotateRecoveryPasswordsSta cross mark + + Value type is string. Supported operation is Get. ### SyncML example From e9e4f7511aae902f1afd606013b2f45b5d4dc372 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Thu, 13 Feb 2020 11:48:47 -0800 Subject: [PATCH 05/14] updated topic for the secure score removal --- .../configuration-score.md | 31 +++++++++++-------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md index a040722887..5b876f90b8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md @@ -1,6 +1,6 @@ --- title: Overview of Configuration score in Microsoft Defender Security Center -description: Expand your visibility into the overall security configuration posture of your organization +description: Your configuration score shows the collective security configuration state of your machines across application, operating system, network, accounts, and security controls keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -8,45 +8,50 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor +ms.author: ellevin +author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/11/2019 --- # Configuration score + **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >[!NOTE] -> Secure score is now part of Threat & Vulnerability Management as Configuration score. The secure score page will be available for a few weeks. +> Secure score is now part of Threat & Vulnerability Management as Configuration score. -The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over the security posture of your organization based on security best practices. High configuration score means your endpoints are more resilient from cybersecurity threat attacks. +Your Configuration score is visible in the Threat & Vulnerability Management dashboard of the Microsoft Defender Security Center. It reflects the collective security configuration state of your machines across the following categories: -Your configuration score widget shows the collective security configuration state of your machines across the following categories: - Application - Operating system - Network - Accounts - Security controls -## How it works ->[!NOTE] -> Configuration score currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management. +A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks. + +## How it works + +>[!NOTE] +> Configuration score currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management. + +The data in the configuration score card is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously: -The data in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously: - Compare collected configurations to the collected benchmarks to discover misconfigured assets - Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration - Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams) - Collect and monitor changes of security control configuration state from all assets -From the widget, you'd be able to see which security aspect requires attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can act on them based on security benchmarks. +From the widget, you'd be able to see which security aspect requires attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can act on them based on security benchmarks. ## Improve your configuration score + The goal is to remediate the issues in the security recommendations list to improve your configuration score. You can filter the view based on: + - **Related component** — **Accounts**, **Application**, **Network**, **OS**, or **Security controls** - **Remediation type** — **Configuration change** or **Software update** @@ -64,6 +69,7 @@ See how you can [improve your security configuration](https://docs.microsoft.com >2. Key-in the security update KB number that you need to download, then click **Search**. ## Related topics + - [Supported operating systems and platforms](tvm-supported-os.md) - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) @@ -78,4 +84,3 @@ See how you can [improve your security configuration](https://docs.microsoft.com - [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software) - [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) - [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) - From 8fd1dd36df45c27284fd6fdf5635757b7aefe66c Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Thu, 13 Feb 2020 11:52:48 -0800 Subject: [PATCH 06/14] config score redirect --- .openpublishing.redirection.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 5ad808dbe7..8012e7c7c5 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1727,6 +1727,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/overview-secure-score.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/partner-applications.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/partner-applications", "redirect_document_id": true @@ -15705,6 +15710,6 @@ "source_path": "windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md", "redirect_url": "https://docs.microsoft.com/configmgr/desktop-analytics/overview", "redirect_document_id": false -}, +} ] } From ee69bf26040a6a1aaea270fd7b7af71310968f88 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Thu, 13 Feb 2020 11:54:10 -0800 Subject: [PATCH 07/14] delete file --- .../overview-secure-score.md | 93 ------------------- 1 file changed, 93 deletions(-) delete mode 100644 windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md deleted file mode 100644 index f08e397a67..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md +++ /dev/null @@ -1,93 +0,0 @@ ---- -title: Overview of Secure score in Microsoft Defender Security Center -description: Expand your visibility into the overall security posture of your organization -keywords: secure score, security controls, improvement opportunities, security score over time, score, posture, baseline -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Overview of Secure score in Microsoft Defender Security Center -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - ->[!NOTE] -> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. - -The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. - ->[!IMPORTANT] -> This feature is available for machines on Windows 10, version 1703 or later. - - -The **Secure score dashboard** displays a snapshot of: -- Microsoft secure score -- Secure score over time -- Top recommendations -- Improvement opportunities - - -![Secure score dashboard](images/new-secure-score-dashboard.png) - -## Microsoft secure score -The Microsoft secure score tile is reflective of the sum of all the security controls that are configured according to the recommended Windows baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings. - -![Image of Microsoft secure score tile](images/mss.png) - -Each Microsoft security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported Microsoft security controls (security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). - -The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess). - -In the example image, the total points for the security controls and Office 365 add up to 602 points. - -You can set the baselines for calculating the security control scores on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score.md). - -## Secure score over time -You can track the progression of your organizational security posture over time using this tile. It displays the overall score in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture. - -![Image of the security score over time tile](images/new-ssot.png) - -You can mouse over specific date points to see the total score for that security control is on a specific date. - - -## Top recommendations -Reflects specific actions you can take to significantly increase the security stance of your organization and how many points will be added to the secure score if you take the recommended action. - -![Top recommendations tile](images/top-recommendations.png) - -## Improvement opportunities -Improve your score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control. - -Clicking on the affected machines link at the top of the table takes you to the Machines list. The list is filtered to reflect the list of machines where improvements can be made. - - - -![Improvement opportunities](images/io.png) - - -Within the tile, you can click on each control to see the recommended optimizations. - -Clicking the link under the **Misconfigured machines** column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice. - -## Related topic -- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) -- [Exposure score](tvm-exposure-score.md) -- [Configuration score](configuration-score.md) -- [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) -- [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [Threat analytics](threat-analytics.md) - From e1fca675876f0c5dbdc34313a49be28f2976380a Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Wed, 19 Feb 2020 15:32:32 -0800 Subject: [PATCH 08/14] Microsoft Secure Score --- .../microsoft-defender-atp/advanced-features.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index bf486af90d..4b41111aaa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -108,6 +108,10 @@ The integration with Azure Advanced Threat Protection allows you to pivot direct >[!NOTE] >You'll need to have the appropriate license to enable this feature. +## Microsoft Secure Score + +Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning this feature on gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data. + ### Enable the Microsoft Defender ATP integration from the Azure ATP portal To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal. From dbb3f3d6257c36a4371bc364cee389c993a8f9e9 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 21 Feb 2020 12:03:21 +0500 Subject: [PATCH 09/14] Update surface-hub-update-history.md --- devices/surface-hub/surface-hub-update-history.md | 1 - 1 file changed, 1 deletion(-) diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md index 5d6989d80b..50af49ec5c 100644 --- a/devices/surface-hub/surface-hub-update-history.md +++ b/devices/surface-hub/surface-hub-update-history.md @@ -530,7 +530,6 @@ This update to the Surface Hub includes quality improvements and security fixes. ## Related topics -* [Windows 10 feature roadmap](https://go.microsoft.com/fwlink/p/?LinkId=785967) * [Windows 10 release information](https://go.microsoft.com/fwlink/p/?LinkId=724328) * [Windows 10 November update: FAQ](https://windows.microsoft.com/windows-10/windows-update-faq) * [Microsoft Surface update history](https://go.microsoft.com/fwlink/p/?LinkId=724327) From b2cf8944da6adb8d07452383625eceefda24745d Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 21 Feb 2020 16:34:31 +0500 Subject: [PATCH 10/14] Update audit-filtering-platform-policy-change.md --- .../auditing/audit-filtering-platform-policy-change.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md index 4103970aa4..204a9b6320 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md @@ -32,14 +32,6 @@ Audit Filtering Platform Policy Change allows you to audit events generated by c Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). -This subcategory is outside the scope of this document. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------| -| Domain Controller | - | - | - | - | This subcategory is outside the scope of this document. | -| Member Server | - | - | - | - | This subcategory is outside the scope of this document. | -| Workstation | - | - | - | - | This subcategory is outside the scope of this document. | - - 4709(S): IPsec Services was started. - 4710(S): IPsec Services was disabled. From e3ba16ab264549a99b7f2f5fe251cc55df48010b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 21 Feb 2020 09:07:07 -0800 Subject: [PATCH 11/14] Update index.md --- windows/security/threat-protection/index.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index fe2f573495..968151ac71 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -100,7 +100,6 @@ Endpoint detection and response capabilities are put in place to detect, investi In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. - [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md) -- [Overview of automated investigation and remediation](microsoft-defender-atp/automated-investigations.md) - [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md) - [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md) @@ -147,4 +146,4 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf **[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
    - With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks. \ No newline at end of file + With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks. From 6c2448aa4717a09b17b96e9c443d1ccf83462536 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Fri, 21 Feb 2020 09:53:09 -0800 Subject: [PATCH 12/14] no more secure score --- .openpublishing.redirection.json | 12 +- windows/security/threat-protection/TOC.md | 5 - windows/security/threat-protection/index.md | 12 +- .../advanced-features.md | 1 - .../configure-email-notifications.md | 1 - .../data-retention-settings.md | 1 - .../enable-secure-score.md | 2 +- .../machines-view-overview.md | 2 +- ...oft-defender-advanced-threat-protection.md | 6 +- .../microsoft-defender-atp/oldTOC.txt | 6 - .../microsoft-defender-atp/onboard.md | 1 - .../microsoft-defender-atp/overview.md | 2 +- .../microsoft-defender-atp/portal-overview.md | 2 +- .../microsoft-defender-atp/product-brief.md | 15 +- .../secure-score-dashboard.md | 315 ------------------ .../security-operations-dashboard.md | 2 +- .../threat-and-vuln-mgt-scenarios.md | 3 +- .../microsoft-defender-atp/tvm-remediation.md | 8 +- .../microsoft-defender-atp/use.md | 4 +- .../why-use-microsoft-antivirus.md | 2 +- 20 files changed, 41 insertions(+), 361 deletions(-) delete mode 100644 windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 8012e7c7c5..1e5f3dcc03 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1729,7 +1729,17 @@ { "source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/overview-secure-score.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", -"redirect_document_id": true +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/secure-score-dashboard.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/enable-secure-score.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", +"redirect_document_id": false }, { "source_path": "windows/security/threat-protection/windows-defender-atp/partner-applications.md", diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index c969d4994f..6ae84d007a 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -108,7 +108,6 @@ #### [Use the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md) #### [Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md) -### [Secure score](microsoft-defender-atp/overview-secure-score.md) ### [Threat analytics](microsoft-defender-atp/threat-analytics.md) ### [Advanced hunting]() @@ -342,9 +341,6 @@ #### [Privacy](microsoft-defender-atp/mac-privacy.md) #### [Resources](microsoft-defender-atp/mac-resources.md) - -### [Configure Secure score dashboard security controls](microsoft-defender-atp/secure-score-dashboard.md) - ### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md) ### [Management and API support]() @@ -561,7 +557,6 @@ #### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md) #### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md) #### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md) -#### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md) #### [Configure advanced features](microsoft-defender-atp/advanced-features.md) ### [Permissions]() diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 16ddcac988..fe37c119b1 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,7 +1,7 @@ --- title: Threat Protection (Windows 10) description: Learn how Microsoft Defender ATP helps protect against threats. -keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, secure score, advanced hunting, cyber threat hunting, web threat protection +keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, configuration score, advanced hunting, cyber threat hunting, web threat protection search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -106,14 +106,12 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft -**[Secure score](microsoft-defender-atp/overview-secure-score.md)**
    +**[Configuration Score](microsoft-defender-atp/configuration-score.md)**
    >[!NOTE] -> Secure score is now part of [Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) as [Configuration score](microsoft-defender-atp/configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page. +> Secure score is now part of [Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) as [Configuration score](microsoft-defender-atp/configuration-score.md). -Microsoft Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. -- [Asset inventory](microsoft-defender-atp/secure-score-dashboard.md) -- [Recommended improvement actions](microsoft-defender-atp/secure-score-dashboard.md) -- [Secure score](microsoft-defender-atp/overview-secure-score.md) +Microsoft Defender ATP includes a configuration score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. +- [Configuration score](microsoft-defender-atp/configuration-score.md) - [Threat analytics](microsoft-defender-atp/threat-analytics.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index 4b41111aaa..2326198e30 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -189,4 +189,3 @@ You'll have access to upcoming features which you can provide feedback on to hel - [Update data retention settings](data-retention-settings.md) - [Configure alert notifications](configure-email-notifications.md) - [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) -- [Enable Secure Score security controls](enable-secure-score.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md index 8fafbb0b85..96650774c3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md @@ -100,5 +100,4 @@ This section lists various issues that you may encounter when using email notifi ## Related topics - [Update data retention settings](data-retention-settings.md) - [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) -- [Enable Secure Score security controls](enable-secure-score.md) - [Configure advanced features](advanced-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md index 703b8a3412..d2df7a0c6e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md @@ -44,5 +44,4 @@ During the onboarding process, a wizard takes you through the general settings o - [Update data retention settings](data-retention-settings.md) - [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md) - [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) -- [Enable Secure Score security controls](enable-secure-score.md) - [Configure advanced features](advanced-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md index 8829cf492a..76c04110e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md @@ -38,7 +38,7 @@ Set the baselines for calculating the score of security controls on the Secure S 3. Click **Save preferences**. ## Related topics -- [View the Secure Score dashboard](secure-score-dashboard.md) +- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Update data retention settings for Microsoft Defender ATP](data-retention-settings.md) - [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md) - [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md index 3380258c96..6b96503525 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md @@ -78,7 +78,7 @@ Filter by machines that are well configured or require attention based on the se - **Well configured** - Machines have the security controls well configured. - **Requires attention** - Machines where improvements can be made to increase the overall security posture of your organization. -For more information, see [View the Secure Score dashboard](secure-score-dashboard.md). +For more information, see [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). ### Threat mitigation status diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index b08c20b0a4..9c596b4ec9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -98,11 +98,11 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft -**[Secure score](overview-secure-score.md)**
    +**[Configuration score](configuration-score.md)**
    > [!NOTE] -> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page. +> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). -Microsoft Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. +Microsoft Defender ATP includes a configuration score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt index a65e4c2dbb..51d5efdc49 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt +++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt @@ -95,9 +95,6 @@ #### [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md) -### [Secure score](overview-secure-score.md) - - ### [Threat analytics](threat-analytics.md) @@ -298,8 +295,6 @@ ##### [Use the mpcmdrun.exe command line tool to manage next generation protection](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) -### [Configure Secure score dashboard security controls](secure-score-dashboard.md) - ### [Configure and manage Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) @@ -481,7 +476,6 @@ ##### [Update data retention settings](data-retention-settings.md) ##### [Configure alert notifications](configure-email-notifications.md) ##### [Enable and create Power BI reports using Windows Security app data](powerbi-reports.md) -##### [Enable Secure score security controls](enable-secure-score.md) ##### [Configure advanced features](advanced-features.md) #### [Permissions]() diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md index 0d041b05e3..c304bcfd54 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md @@ -31,7 +31,6 @@ Topic | Description :---|:--- [Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. [Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats. -[Configure Secure score dashboard security controls](secure-score-dashboard.md) | Configure the security controls in Secure score to increase the security posture of your organization. [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts. [Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP. [Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview.md b/windows/security/threat-protection/microsoft-defender-atp/overview.md index 0e926f6f8d..8600ed540e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview.md @@ -38,7 +38,7 @@ Topic | Description [Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Microsoft Defender ATP so you can protect desktops, portable computers, and servers. [Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Microsoft Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats. [Automated investigation and remediation](automated-investigations.md) | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. -[Secure score](overview-secure-score.md) | Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization - all in one place. +[Configuration score](configuration-score.md) | Your configuration score shows the collective security configuration state of your machines across application, operating system, network, accounts, and security controls. [Microsoft Threat Experts](microsoft-threat-experts.md) | Managed cybersecurity threat hunting service. Learn how you can get expert-driven insights and data through targeted attack notification and access to experts on demand.

    **NOTE:**

    Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.

    If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription. [Advanced hunting](advanced-hunting-overview.md) | Use a powerful query-based threat-hunting tool to proactively find breach activity and create custom detection rules. [Management and APIs](management-apis.md) | Microsoft Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows. diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md index 480df72feb..ceb8637a40 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md @@ -122,5 +122,5 @@ Icon | Description ## Related topics - [Understand the Microsoft Defender Advanced Threat Protection portal](use.md) - [View the Security operations dashboard](security-operations-dashboard.md) -- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md) +- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/product-brief.md b/windows/security/threat-protection/microsoft-defender-atp/product-brief.md index 2a83d109de..e69a6bc890 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/product-brief.md +++ b/windows/security/threat-protection/microsoft-defender-atp/product-brief.md @@ -36,33 +36,33 @@ Capability | Description **Threat and Vulnerability Management** | This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. **Attack Surface Reduction** | The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. **Next Generation Protection** | To further reinforce the security perimeter of the organizations network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats. -**Endpoint Detection & Response** | Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. -**Auto Investigation & Remediation** | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. +**Endpoint Detection & Response** | Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. +**Auto Investigation & Remediation** | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. **Microsoft Threat Experts** | Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately. -**Secure Score** | Microsoft Defender ATP includes a secure score to help dynamically assess the security state of the enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of the organization. +**Configuration Score** | Microsoft Defender ATP includes configuration score to help dynamically assess the security state of the enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of the organization. **Advance Hunting** | Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in the organization. **Management and API** | Integrate Microsoft Defender Advanced Threat Protection into existing workflows. **Microsoft Threat Protection** | Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to the organization. | | Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: -- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors +- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP. - -- **Cloud security analytics**: Leveraging big-data, machine-learning, and +- **Cloud security analytics**: Leveraging big-data, machine-learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Office 365), and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats. -- **Threat intelligence**: Generated by Microsoft hunters, security teams, +- **Threat intelligence**: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Microsoft Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data. ## Licensing requirements + Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: - Windows 10 Enterprise E5 @@ -71,4 +71,5 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr - Microsoft 365 A5 (M365 A5) ## Related topic + - [Prepare deployment](prepare-deployment.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md deleted file mode 100644 index 1ac2ee7415..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md +++ /dev/null @@ -1,315 +0,0 @@ ---- -title: Configure the security controls in Secure score -description: Configure the security controls in Secure score -keywords: secure score, dashboard, security recommendations, security control state, security score, score improvement, microsoft secure score, security controls, security control, improvement opportunities, edr, antivirus, av, os security updates -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Configure the security controls in Secure score - -**Applies to:** - -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -> [!NOTE] -> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page. - -Each security control lists recommendations that you can take to increase the security posture of your organization. - -### Endpoint detection and response (EDR) optimization - -A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for your Endpoint detection and response tool. - -> [!IMPORTANT] -> This feature is available for machines on Windows 10, version 1607 or later. - -#### Minimum baseline configuration setting for EDR - -* Microsoft Defender ATP sensor is on -* Data collection is working correctly -* Communication to Microsoft Defender ATP service is not impaired - -##### Recommended actions - -You can take the following actions to increase the overall security score of your organization: - -* Turn on sensor -* Fix sensor data collection -* Fix impaired communications - -For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). - -### Windows Defender Antivirus (Windows Defender AV) optimization -A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AV. - -> [!IMPORTANT] -> This feature is available for machines on Windows 10, version 1607 or later. - -#### Minimum baseline configuration setting for Windows Defender AV: -A well-configured machine for Windows Defender AV meets the following requirements: - -- Windows Defender AV is reporting correctly -- Windows Defender AV is turned on -- Security intelligence is up-to-date -- Real-time protection is on -- Potentially Unwanted Application (PUA) protection is enabled - -You can take the following actions to increase the overall security score of your organization: - ->[!NOTE] -> For the Windows Defender Antivirus properties to show, you'll need to ensure that the Windows Defender Antivirus Cloud-based protection is properly configured on the machine. - -- Fix antivirus reporting - - This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md). -- Turn on antivirus -- Update antivirus Security intelligence -- Turn on real-time protection -- Turn on PUA protection - -For more information, see [Configure Windows Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md). - -### OS security updates optimization - -This tile shows you the number of machines that require the latest security updates. It also shows machines that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run the latest builds. - -> [!IMPORTANT] -> This feature is available for machines on Windows 10, version 1607 or later. - -You can take the following actions to increase the overall security score of your organization: - -* Install the latest security updates -* Fix sensor data collection - * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). - -For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/help/4027322/windows-windows-update-troubleshooter). - -### Windows Defender Exploit Guard (Windows Defender EG) optimization - - -A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Microsoft Defender EG. When endpoints are configured according to the baseline the Microsoft Defender EG events shows on the Microsoft Defender ATP Machine timeline. - -> [!IMPORTANT] -> This security control is only applicable for machines with Windows 10, version 1709 or later. - -#### Minimum baseline configuration setting for Windows Defender EG - -Machines are considered "well configured" for Microsoft Defender EG if the following requirements are met: - -* System level protection settings are configured correctly -* Attack Surface Reduction rules are configured correctly -* Controlled Folder Access setting is configured correctly - -##### System level protection - -The following system level configuration settings must be set to **On or Force On**: - -1. Control Flow Guard -2. Data Execution Prevention (DEP) -3. Randomize memory allocations (Bottom-up ASLR) -4. Validate exception chains (SEHOP) -5. Validate heap integrity - -> [!NOTE] -> The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline. -> Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection. - -##### Attack Surface Reduction (ASR) rules - -The following ASR rules must be configured to **Block mode**: - -Rule description | GUIDs --|- -Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 -Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D -Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B - -> [!NOTE] -> The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline. -> Consider enabling this rule in **Audit** or **Block mode** for better protection. - -##### Controlled Folder Access - -The Controlled Folder Access setting must be configured to **Audit mode** or **Enabled**. - -> [!NOTE] -> Audit mode, allows you to see audit events in the Microsoft Defender ATP Machine timeline however it does not block suspicious applications. -> Consider enabling Controlled Folder Access for better protection. - -##### Recommended actions - -You can take the following actions to increase the overall security score of your organization: - -- Turn on all system-level Exploit Protection settings -- Set all ASR rules to enabled or audit mode -- Turn on Controlled Folder Access -- Turn on Windows Defender Antivirus on compatible machines - -### Windows Defender Application Guard (Windows Defender AG) optimization -A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AG. When endpoints are configured according to the baseline, Windows Defender AG events shows on the Microsoft Defender ATP Machine timeline. - -A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AG. When endpoints are configured according to the baseline, Microsoft Defender AG events shows on the Microsoft Defender ATP Machine timeline. - -> [!IMPORTANT] -> This security control is only applicable for machines with Windows 10, version 1709 or later. - -#### Minimum baseline configuration setting for Windows Defender AG: -A well-configured machine for Windows Defender AG meets the following requirements: - -- Hardware and software prerequisites are met -- Windows Defender AG is turned on compatible machines -- Managed mode is turned on - -You can take the following actions to increase the overall security score of your organization: - -* Ensure hardware and software prerequisites are met - - > [!NOTE] - > This improvement item does not contribute to the security score in itself because it's not a prerequisite for Microsoft Defender AG. It gives an indication of a potential reason why Microsoft Defender AG is not turned on. - -* Turn on Microsoft Defender AG on compatible machines -* Turn on managed mode - -For more information, see [Microsoft Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md). - -### Windows Defender SmartScreen optimization - -A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender SmartScreen. - -> [!WARNING] -> Data collected by Microsoft Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data. - -> [!IMPORTANT] -> This security control is only applicable for machines with Windows 10, version 1709 or later. - -#### Minimum baseline configuration setting for Windows Defender SmartScreen: - -The following settings must be configured with the following settings: - -* Check apps and files: **Warn** or **Block** -* Microsoft Defender SmartScreen for Microsoft Edge: **Warn** or **Block** -* Microsoft Defender SmartScreen for Microsoft store apps: **Warn** or **Off** - -You can take the following actions to increase the overall security score of your organization: - -- Set **Check app and files** to **Warn** or **Block** -- Set **Windows Defender SmartScreen for Microsoft Edge** to **Warn** or **Block** -- Set **Windows Defender SmartScreen for Microsoft store apps** to **Warn** or **Off** - -For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). - -* Set **Check app and files** to **Warn** or **Block** -* Set **Windows Defender SmartScreen for Microsoft Edge** to **Warn** or **Block** -* Set **Windows Defender SmartScreen for Microsoft store apps** to **Warn** or **Off** - -For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). - -### Windows Defender Firewall optimization - -A well-configured machine must have Microsoft Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Firewall. - -> [!IMPORTANT] -> This security control is only applicable for machines with Windows 10, version 1709 or later. - -#### Minimum baseline configuration setting for Windows Defender Firewall - -* Microsoft Defender Firewall is turned on for all network connections -* Secure domain profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked -* Secure private profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked -* Secure public profile is configured by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked - -For more information on Windows Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy). - -> [!NOTE] -> If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely. - -##### Recommended actions - -You can take the following actions to increase the overall security score of your organization: - -* Turn on firewall -* Secure domain profile -* Secure private profile -* Secure public profile -* Verify secure configuration of third-party firewall -* Fix sensor data collection - * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). - -For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security). - -### BitLocker optimization - -A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker. - -> [!IMPORTANT] -> This security control is only applicable for machines with Windows 10, version 1803 or later. - -#### Minimum baseline configuration setting for BitLocker - -* Ensure all supported drives are encrypted -* Ensure that all suspended protection on drives resume protection -* Ensure that drives are compatible - -##### Recommended actions - -You can take the following actions to increase the overall security score of your organization: - -* Encrypt all supported drives -* Resume protection on all drives -* Ensure drive compatibility -* Fix sensor data collection - * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). - -For more information, see [Bitlocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview). - -### Windows Defender Credential Guard optimization -A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender Credential Guard. - -> [!IMPORTANT] -> This security control is only applicable for machines with Windows 10, version 1709 or later. - -#### Minimum baseline configuration setting for Windows Defender Credential Guard: -Well-configured machines for Windows Defender Credential Guard meets the following requirements: - -- Hardware and software prerequisites are met -- Windows Defender Credential Guard is turned on compatible machines - -##### Recommended actions - -You can take the following actions to increase the overall security score of your organization: - -* Ensure hardware and software prerequisites are met -* Turn on Credential Guard -* Fix sensor data collection - * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). - -For more information, see [Manage Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage). - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) - -## Related topics - -* [Overview of Secure score](overview-secure-score.md) -* [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -* [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) -* [Exposure score](tvm-exposure-score.md) -* [Configuration score](configuration-score.md) -* [Security recommendations](tvm-security-recommendation.md) -* [Remediation](tvm-remediation.md) -* [Software inventory](tvm-software-inventory.md) -* [Weaknesses](tvm-weaknesses.md) -* [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md index ea54e6d0ea..00820b5fe4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md @@ -121,5 +121,5 @@ Click the user account to see details about the user account. For more informati ## Related topics - [Understand the Microsoft Defender Advanced Threat Protection portal](use.md) - [Portal overview](portal-overview.md) -- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md) +- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 7df11c3d9e..9f6f5b45c6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -85,8 +85,9 @@ To lower down your threat and vulnerability exposure: 6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases. ## Improve your security configuration + >[!NOTE] -> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). The secure score page is available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page. +> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index ffd3002549..a0465dd642 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -66,10 +66,10 @@ When you submit a remediation request from Threat & Vulnerability Management, it It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune. -The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task. +The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task. ## When to file for exception instead of remediating issues -You can file exceptions to exclude certain recommendation from showing up in reports and affecting risk scores or secure scores. +You can file exceptions to exclude certain recommendation from showing up in reports and affecting your configuration score. When you select a security recommendation, it opens up a flyout screen with details and options for your next step. You can either **Open software page**, choose from **Remediation options**, go through **Exception options** to file for exceptions, or **Report inaccuracy**. @@ -113,10 +113,10 @@ Clicking the link opens up to the **Security recommendations** page, where you c - **In effect** - The exception that you've filed is in progress ### Exception impact on scores -Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Secure Score (for configurations) of your organization in the following manner: +Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Configuration Score (for configurations) of your organization in the following manner: - **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores - **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control. -- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Secure Score results out of the exception option that you made +- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Configuration Score results out of the exception option that you made The exception impact shows on both the Security recommendations page column and in the flyout pane. diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md index dbf6830312..1b86e94b66 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use.md @@ -29,7 +29,7 @@ Microsoft Defender Security Center is the portal where you can access Microsoft Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network. -Use the **Secure Score** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization. +Use the **Threat & Vulnerability Management** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization. Use the **Threat analytics** dashboard to continually assess and control risk exposure to Spectre and Meltdown. @@ -39,5 +39,5 @@ Topic | Description :---|:--- [Portal overview](portal-overview.md) | Understand the portal layout and area descriptions. [View the Security operations dashboard](security-operations-dashboard.md) | The Microsoft Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the machines on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines. -[View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md) | The **Secure Score dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. +[View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) | The **Threat & Vulnerability Management dashboard** lets you view exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines. [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to threats. Use the charts to quickly identify machines for the presence or absence of mitigations. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 57b00a8aa0..9ba7a43bf9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -34,7 +34,7 @@ Although you can use a non-Microsoft antivirus solution with Microsoft Defender | |Advantage |Why it matters | |--|--|--| |1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). | -|2|Threat analytics and your secure score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [secure score](../microsoft-defender-atp/overview-secure-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | +|2|Threat analytics and your configuration score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [configuration score](../microsoft-defender-atp/configuration-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | |3|Performance |Microsoft Defender ATP is designed to work with Windows Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Windows Defender Antivirus](evaluate-windows-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).| |4|Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).| |5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).| From 0c5d83786e197895f5ce32f2b373085a582df757 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 21 Feb 2020 10:32:29 -0800 Subject: [PATCH 13/14] Update manage-auto-investigation.md --- .../manage-auto-investigation.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index 04e76fc5f1..2114c8e188 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -21,7 +21,22 @@ ms.topic: conceptual When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *Clean*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed. -As a best practice, make sure to approve (or reject) pending actions as soon as possible. This helps your automated investigations complete in a timely manner. +## Remediation actions + +When a verdict of *Malicious* is reached for a piece of evidence, Microsoft Defender Advanced Threat Protection takes one of the following remediation actions automatically: +- Quarantine file +- Remove registry key +- Kill process +- Stop service +- Remove registry key +- Disable driver +- Remove scheduled task + +Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to approve (or reject) pending actions as soon as possible. This helps your automated investigations complete in a timely manner. + +No actions are taken when evidence is determined to be *Clean*. + +In Microsoft Defender Advanced Threat Protection, all verdicts are tracked and viewable in the Microsoft Defender Security Center. ## Review pending actions @@ -35,7 +50,6 @@ As a best practice, make sure to approve (or reject) pending actions as soon as You can also select multiple investigations to approve or reject actions on multiple investigations. - ## Review completed actions From c884a85484cc9907322a6169ce0733436eb74b85 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 21 Feb 2020 10:38:06 -0800 Subject: [PATCH 14/14] AIR fixes --- .../auto-investigation-action-center.md | 4 +--- .../microsoft-defender-atp/automated-investigations.md | 6 ++++++ .../microsoft-defender-atp/manage-auto-investigation.md | 4 +++- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index d297b71baf..fdb2c392fa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -18,8 +18,7 @@ ms.topic: article # View details and results of automated investigations - -Pending and completed actions are listed in the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and the Investigations list ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)). +Pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) are listed in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)). >[!NOTE] >If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation. @@ -65,7 +64,6 @@ On the **Investigations** page, you can view details and use filters to focus on |**Tags** |Filter using manually added tags that capture the context of an automated investigation.| |**Comments** |Select between filtering the list between automated investigations that have comments and those that don't.| - ## Automated investigation status An automated investigation can be have one of the following status values: diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 346bd331f0..17a56b7252 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -85,3 +85,9 @@ When a pending action is approved, the entity is then remediated and this new st ## Next step - [Learn about the automated investigations dashboard](manage-auto-investigation.md) + +## Related articles + +- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) + +- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index 2114c8e188..8289129ad0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -63,4 +63,6 @@ In Microsoft Defender Advanced Threat Protection, all verdicts are tracked and v ## Related articles -[Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) \ No newline at end of file +- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) + +- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir) \ No newline at end of file