mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-25 23:33:35 +00:00
Merge branch 'master' into jreeds-rebrand-antivirus
This commit is contained in:
Jeff Reeds (Aquent LLC)
@ -74,7 +74,7 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
|
||||
- Microsoft Remote Desktop
|
||||
|
||||
> [!NOTE]
|
||||
> Microsoft Visio, Microsoft Office Access and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining.
|
||||
> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning.
|
||||
|
||||
## List of WIP-work only apps from Microsoft
|
||||
Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions.
|
||||
|
||||
@ -145,8 +145,8 @@ This table provides info about the most common problems you might encounter whil
|
||||
> [!NOTE]
|
||||
> When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files.
|
||||
|
||||
> [!NOTE]
|
||||
> Chromium-based versions of Microsoft Edge (versions since 79) don't fully support WIP yet. The functionality could be partially enabled by going to the local page **edge://flags/#edge-dataprotection** and setting the **Windows Information Protection** flag to **enabled**.
|
||||
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
|
||||
|
||||
@ -327,6 +327,8 @@
|
||||
|
||||
### [Behavioral blocking and containment]()
|
||||
#### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md)
|
||||
#### [Client behavioral blocking](microsoft-defender-atp/client-behavioral-blocking.md)
|
||||
#### [Feedback-loop blocking](microsoft-defender-atp/feedback-loop-blocking.md)
|
||||
#### [EDR in block mode](microsoft-defender-atp/edr-in-block-mode.md)
|
||||
|
||||
### [Automated investigation and response (AIR)]()
|
||||
@ -571,7 +573,6 @@
|
||||
##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
|
||||
##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
|
||||
##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
|
||||
##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md)
|
||||
##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
|
||||
##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
|
||||
##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
|
||||
|
||||
@ -230,7 +230,7 @@ This event generates when a logon session is created (on destination machine). I
|
||||
|
||||
**Network Information:**
|
||||
|
||||
- **Workstation Name** \[Type = UnicodeString\]**:** machine name from which logon attempt was performed.
|
||||
- **Workstation Name** \[Type = UnicodeString\]**:** machine name to which logon attempt was performed.
|
||||
|
||||
- **Source Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
|
||||
|
||||
|
||||
@ -50,9 +50,9 @@ The following image shows an example of an alert that was triggered by behaviora
|
||||
|
||||
- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)** Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center [https://securitycenter.windows.com](https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
|
||||
|
||||
- **Client behavioral blocking** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
|
||||
- **[Client behavioral blocking](client-behavioral-blocking.md)** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
|
||||
|
||||
- **Feedback-loop blocking** (also referred to as rapid protection) Threat detections that are assumed to be false negatives are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
|
||||
- **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
|
||||
|
||||
- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)
|
||||
|
||||
@ -60,6 +60,22 @@ Expect more to come in the area of behavioral blocking and containment, as Micro
|
||||
|
||||
## Examples of behavioral blocking and containment in action
|
||||
|
||||
Behavioral blocking and containment capabilities have blocked attacker techniques such as the following:
|
||||
|
||||
- Credential dumping from LSASS
|
||||
- Cross-process injection
|
||||
- Process hollowing
|
||||
- User Account Control bypass
|
||||
- Tampering with antivirus (such as disabling it or adding the malware as exclusion)
|
||||
- Contacting Command and Control (C&C) to download payloads
|
||||
- Coin mining
|
||||
- Boot record modification
|
||||
- Pass-the-hash attacks
|
||||
- Installation of root certificate
|
||||
- Exploitation attempt for various vulnerabilities
|
||||
|
||||
Below are two real-life examples of behavioral blocking and containment in action.
|
||||
|
||||
### Example 1: Credential theft attack against 100 organizations
|
||||
|
||||
As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user’s device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server.
|
||||
@ -92,12 +108,12 @@ This example shows that with behavioral blocking and containment capabilities, t
|
||||
|
||||
## Next steps
|
||||
|
||||
- [Learn more about recent global threat activity](https://www.microsoft.com/wdsi/threats)
|
||||
|
||||
- [Learn more about Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
|
||||
|
||||
- [Configure your attack surface reduction rules](attack-surface-reduction.md)
|
||||
|
||||
- [Enable EDR in block mode](edr-in-block-mode.md)
|
||||
|
||||
- [Get an overview of Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
|
||||
- [See recent global threat activity](https://www.microsoft.com/wdsi/threats)
|
||||
|
||||
- [Get an overview of Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
|
||||
|
||||
@ -0,0 +1,90 @@
|
||||
---
|
||||
title: Client behavioral blocking
|
||||
description: Client behavioral blocking is part of behavioral blocking and containment capabilities in Microsoft Defender ATP
|
||||
keywords: behavioral blocking, rapid protection, client behavior, Microsoft Defender ATP
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
author: denisebmsft
|
||||
ms.author: deniseb
|
||||
manager: dansimp
|
||||
ms.reviewer: shwetaj
|
||||
audience: ITPro
|
||||
ms.topic: article
|
||||
ms.prod: w10
|
||||
ms.localizationpriority: medium
|
||||
ms.custom:
|
||||
- next-gen
|
||||
- edr
|
||||
ms.collection:
|
||||
---
|
||||
|
||||
# Client behavioral blocking
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
## Overview
|
||||
|
||||
Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in Microsoft Defender ATP. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically.
|
||||
|
||||
:::image type="content" source="images/pre-execution-and-post-execution-detection-engines.png" alt-text="Cloud and client protection":::
|
||||
|
||||
Antivirus protection works best when paired with cloud protection.
|
||||
|
||||
## How client behavioral blocking works
|
||||
|
||||
[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) can detect suspicious behavior, malicious code, fileless and in-memory attacks, and more on a device. When suspicious behaviors are detected, Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device.
|
||||
|
||||
Whenever a suspicious behavior is detected, an [alert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/alerts-queue) is generated, and is visible in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
|
||||
|
||||
Client behavioral blocking is effective because it not only helps prevent an attack from starting, it can help stop an attack that has begun executing. And, with [feedback-loop blocking](feedback-loop-blocking.md) (another capability of behavioral blocking and containment), attacks are prevented on other devices in your organization.
|
||||
|
||||
## Behavior-based detections
|
||||
|
||||
Behavior-based detections are named according to the [MITRE ATT&CK Matrix for Enterprise](https://attack.mitre.org/matrices/enterprise). The naming convention helps identify the attack stage where the malicious behavior was observed:
|
||||
|
||||
|
||||
|Tactic | Detection threat name |
|
||||
|----|----|
|
||||
|Initial Access | Behavior:Win32/InitialAccess.*!ml |
|
||||
|Execution | Behavior:Win32/Execution.*!ml |
|
||||
|Persistence | Behavior:Win32/Persistence.*!ml |
|
||||
|Privilege Escalation | Behavior:Win32/PrivilegeEscalation.*!ml |
|
||||
|Defense Evasion | Behavior:Win32/DefenseEvasion.*!ml |
|
||||
|Credential Access | Behavior:Win32/CredentialAccess.*!ml |
|
||||
|Discovery | Behavior:Win32/Discovery.*!ml |
|
||||
|Lateral Movement | Behavior:Win32/LateralMovement.*!ml |
|
||||
|Collection | Behavior:Win32/Collection.*!ml |
|
||||
|Command and Control | Behavior:Win32/CommandAndControl.*!ml |
|
||||
|Exfiltration | Behavior:Win32/Exfiltration.*!ml |
|
||||
|Impact | Behavior:Win32/Impact.*!ml |
|
||||
|Uncategorized | Behavior:Win32/Generic.*!ml |
|
||||
|
||||
> [!TIP]
|
||||
> To learn more about specific threats, see **[recent global threat activity](https://www.microsoft.com/wdsi/threats)**.
|
||||
|
||||
|
||||
## Configuring client behavioral blocking
|
||||
|
||||
If your organization is using Microsoft Defender ATP, client behavioral blocking is enabled by default. However, to benefit from all Microsoft Defender ATP capabilities, including [behavioral blocking and containment](behavioral-blocking-containment.md), make sure the following features and capabilities of Microsoft Defender ATP are enabled and configured:
|
||||
|
||||
- [Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)
|
||||
|
||||
- [Devices onboarded to Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure)
|
||||
|
||||
- [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode)
|
||||
|
||||
- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
|
||||
|
||||
- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) (antivirus)
|
||||
|
||||
## Related articles
|
||||
|
||||
- [Behavioral blocking and containment](behavioral-blocking-containment.md)
|
||||
|
||||
- [Feedback-loop blocking](feedback-loop-blocking.md)
|
||||
|
||||
- [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/)
|
||||
|
||||
- [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources)
|
||||
@ -27,10 +27,10 @@ ms.topic: article
|
||||
|
||||
## Pull detections using security information and events management (SIEM) tools
|
||||
|
||||
>[!Note]
|
||||
>[!NOTE]
|
||||
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
|
||||
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
|
||||
>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
|
||||
>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
|
||||
|
||||
Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
|
||||
|
||||
|
||||
@ -0,0 +1,58 @@
|
||||
---
|
||||
title: Feedback-loop blocking
|
||||
description: Feedback-loop blocking, also called rapid protection, is part of behavioral blocking and containment capabilities in Microsoft Defender ATP
|
||||
keywords: behavioral blocking, rapid protection, feedback blocking, Microsoft Defender ATP
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
author: denisebmsft
|
||||
ms.author: deniseb
|
||||
manager: dansimp
|
||||
ms.reviewer: shwetaj
|
||||
audience: ITPro
|
||||
ms.topic: article
|
||||
ms.prod: w10
|
||||
ms.localizationpriority: medium
|
||||
ms.custom:
|
||||
- next-gen
|
||||
- edr
|
||||
ms.collection:
|
||||
---
|
||||
|
||||
# Feedback-loop blocking
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
## Overview
|
||||
|
||||
Feedback-loop blocking, also referred to as rapid protection, is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/). With feedback-loop blocking, devices across your organization are better protected from attacks.
|
||||
|
||||
## How feedback-loop blocking works
|
||||
|
||||
When a suspicious behavior or file is detected, such as by [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10), information about that artifact is sent to multiple classifiers. The rapid protection loop engine inspects and correlates the information with other signals to arrive at a decision as to whether to block a file. Checking and classifying artifacts happens quickly. It results in rapid blocking of confirmed malware, and drives protection across the entire ecosystem.
|
||||
|
||||
With rapid protection in place, an attack can be stopped on a device, other devices in the organization, and devices in other organizations, as an attack attempts to broaden its foothold.
|
||||
|
||||
|
||||
## Configuring feedback-loop blocking
|
||||
|
||||
If your organization is using Microsoft Defender ATP, feedback-loop blocking is enabled by default. However, rapid protection occurs through a combination of Microsoft Defender ATP capabilities, machine learning protection features, and signal-sharing across Microsoft security services. Make sure the following features and capabilities of Microsoft Defender ATP are enabled and configured:
|
||||
|
||||
- [Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)
|
||||
|
||||
- [Devices onboarded to Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure)
|
||||
|
||||
- [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode)
|
||||
|
||||
- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
|
||||
|
||||
- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) (antivirus)
|
||||
|
||||
## Related articles
|
||||
|
||||
- [Behavioral blocking and containment](behavioral-blocking-containment.md)
|
||||
|
||||
- [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/)
|
||||
|
||||
- [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources)
|
||||
@ -46,6 +46,15 @@ To have your company listed as a partner in the in-product partner page, you wil
|
||||
3. Provide a 15-word product description.
|
||||
4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Please note that any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. You should allow at least 10 days for review process to be performed.
|
||||
5. If you use a multi-tenant Azure AD approach, we will need the AAD application name to track usage of the application.
|
||||
6. We'd like to request that you include the User-Agent field in each API call made to Microsoft Defender ATP public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA).
|
||||
Follow these steps:
|
||||
1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender ATP integrated product with the version of the product that includes this integration.
|
||||
|
||||
- ISV Nomenclature: `MdatpPartner-{CompanyName}-{TenantID}/{Version}`.
|
||||
- Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}`.
|
||||
|
||||
2. Set the User-Agent field in each HTTP request header to the name based on the above nomenclature.
|
||||
For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0`
|
||||
|
||||
|
||||
Partnership with Microsoft Defender ATP help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender ATP partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together.
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 343 KiB After Width: | Height: | Size: 300 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 81 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 134 KiB |
@ -41,7 +41,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
|
||||
3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
|
||||
4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
|
||||
|
||||
|
||||
|
||||
|
||||
5. From a command prompt, verify that you have the two files.
|
||||
|
||||
|
||||
@ -40,7 +40,7 @@ For more information about onboarding methods, see the following articles:
|
||||
- [Onboard servers to the Microsoft Defender ATP service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
|
||||
- [Configure machine proxy and Internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy)
|
||||
|
||||
## On-premise machines
|
||||
## On-premises machines
|
||||
|
||||
- Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
|
||||
- [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
|
||||
|
||||
@ -179,108 +179,45 @@ Follow the steps below to identify the Microsoft Defender ATP Workspace ID and W
|
||||
|
||||
3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
|
||||
|
||||
Before the systems can be onboarded into the workspace, the deployment scripts need to be updated to contain the correct information. Failure to do so will result in the systems not being properly onboarded. Depending on the deployment method, this step may have already been completed.
|
||||
4. Install the Microsoft Monitoring Agent (MMA). <br>
|
||||
MMA is currently (as of January 2019) supported on the following Windows Operating
|
||||
Systems:
|
||||
|
||||
Edit the InstallMMA.cmd with a text editor, such as notepad and update the
|
||||
following lines and save the file:
|
||||
- Server SKUs: Windows Server 2008 SP1 or Newer
|
||||
|
||||
|
||||
- Client SKUs: Windows 7 SP1 and later
|
||||
|
||||
Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file:
|
||||
The MMA agent will need to be installed on Windows devices. To install the
|
||||
agent, some systems will need to download the [Update for customer experience
|
||||
and diagnostic
|
||||
telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
|
||||
in order to collect the data with MMA. These system versions include but may not
|
||||
be limited to:
|
||||
|
||||
|
||||
- Windows 8.1
|
||||
|
||||
Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating
|
||||
Systems:
|
||||
- Windows 7
|
||||
|
||||
- Server SKUs: Windows Server 2008 SP1 or Newer
|
||||
- Windows Server 2016
|
||||
|
||||
- Client SKUs: Windows 7 SP1 and later
|
||||
- Windows Server 2012 R2
|
||||
|
||||
The MMA agent will need to be installed on Windows devices. To install the
|
||||
agent, some systems will need to download the [Update for customer experience
|
||||
and diagnostic
|
||||
telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
|
||||
in order to collect the data with MMA. These system versions include but may not
|
||||
be limited to:
|
||||
- Windows Server 2008 R2
|
||||
|
||||
- Windows 8.1
|
||||
Specifically, for Windows 7 SP1, the following patches must be installed:
|
||||
|
||||
- Windows 7
|
||||
- Install
|
||||
[KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
|
||||
|
||||
- Windows Server 2016
|
||||
- Install either [.NET Framework
|
||||
4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
|
||||
later) **or**
|
||||
[KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
|
||||
Do not install both on the same system.
|
||||
|
||||
- Windows Server 2012 R2
|
||||
5. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
|
||||
|
||||
- Windows Server 2008 R2
|
||||
|
||||
Specifically, for Windows 7 SP1, the following patches must be installed:
|
||||
|
||||
- Install
|
||||
[KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
|
||||
|
||||
- Install either [.NET Framework
|
||||
4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
|
||||
later) **or**
|
||||
[KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
|
||||
Do not install both on the same system.
|
||||
|
||||
To deploy the MMA with Microsoft Endpoint Configuration Manager, follow the steps
|
||||
below to utilize the provided batch files to onboard the systems. The CMD file
|
||||
when executed, will require the system to copy files from a network share by the
|
||||
System, the System will install MMA, Install the DependencyAgent, and configure
|
||||
MMA for enrollment into the workspace.
|
||||
|
||||
|
||||
1. In Microsoft Endpoint Configuration Manager console, navigate to **Software
|
||||
Library**.
|
||||
|
||||
2. Expand **Application Management**.
|
||||
|
||||
3. Right-click **Packages** then select **Create Package**.
|
||||
|
||||
4. Provide a Name for the package, then click **Next**
|
||||
|
||||
|
||||
|
||||
5. Verify **Standard Program** is selected.
|
||||
|
||||
|
||||
|
||||
6. Click **Next**.
|
||||
|
||||
|
||||
|
||||
7. Enter a program name.
|
||||
|
||||
8. Browse to the location of the InstallMMA.cmd.
|
||||
|
||||
9. Set Run to **Hidden**.
|
||||
|
||||
10. Set **Program can run** to **Whether or not a user is logged on**.
|
||||
|
||||
11. Click **Next**.
|
||||
|
||||
12. Set the **Maximum allowed run time** to 720.
|
||||
|
||||
13. Click **Next**.
|
||||
|
||||
|
||||
|
||||
14. Verify the configuration, then click **Next**.
|
||||
|
||||
|
||||
|
||||
15. Click **Next**.
|
||||
|
||||
16. Click **Close**.
|
||||
|
||||
17. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP
|
||||
Onboarding Package just created and select **Deploy**.
|
||||
|
||||
18. On the right panel select the appropriate collection.
|
||||
|
||||
19. Click **OK**.
|
||||
Once completed, you should see onboarded endpoints in the portal within an hour.
|
||||
|
||||
## Next generation protection
|
||||
Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
|
||||
|
||||
@ -144,6 +144,9 @@ Appendix section in this document for the URLs Whitelisting or on
|
||||
[Microsoft
|
||||
Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server).
|
||||
|
||||
> [!NOTE]
|
||||
> For a detailed list of URLs that need to be whitelisted, please see [this article](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus).
|
||||
|
||||
**Manual static proxy configuration:**
|
||||
|
||||
- Registry based configuration
|
||||
|
||||
@ -30,20 +30,20 @@ ms.topic: article
|
||||
|
||||
Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Microsoft Defender ATP service.
|
||||
|
||||
1. Create a folder: 'C:\test-WDATP-test'.
|
||||
1. Create a folder: 'C:\test-MDATP-test'.
|
||||
2. Open an elevated command-line prompt on the machine and run the script:
|
||||
|
||||
a. Go to **Start** and type **cmd**.
|
||||
1. Go to **Start** and type **cmd**.
|
||||
|
||||
b. Right-click **Command Prompt** and select **Run as administrator**.
|
||||
1. Right-click **Command Prompt** and select **Run as administrator**.
|
||||
|
||||
|
||||
|
||||
|
||||
3. At the prompt, copy and run the following command:
|
||||
|
||||
```
|
||||
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'
|
||||
```
|
||||
```powershell
|
||||
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'
|
||||
```
|
||||
|
||||
The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes.
|
||||
|
||||
|
||||
@ -82,7 +82,7 @@ When a local setting is greyed out, it indicates that a GPO currently controls t
|
||||
|
||||
### Command-line tools
|
||||
|
||||
This setting can be used in conjunction with a symbolic link file system setting that can be manipulated with the command-line tool to control the kinds of symlinks that are allowed on the device. For more info, type **fsutil behavior set symlinkevalution /?** at the command prompt.
|
||||
This setting can be used in conjunction with a symbolic link file system setting that can be manipulated with the command-line tool to control the kinds of symlinks that are allowed on the device. For more info, type **fsutil behavior set symlinkevaluation /?** at the command prompt.
|
||||
|
||||
## Security considerations
|
||||
|
||||
|
||||
@ -14,7 +14,7 @@ author: denisebmsft
|
||||
ms.reviewer: isbrahm
|
||||
ms.author: deniseb
|
||||
manager: dansimp
|
||||
ms.date: 04/15/2020
|
||||
ms.date: 05/26/2020
|
||||
ms.custom: asr
|
||||
---
|
||||
|
||||
@ -43,12 +43,12 @@ Windows 10 includes two technologies that can be used for application control de
|
||||
|
||||
## In this section
|
||||
|
||||
| Topic | Description |
|
||||
| - | - |
|
||||
| [WDAC and AppLocker Overview](plan-windows-defender-application-control-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
|
||||
| [WDAC and AppLocker Feature Availability](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
|
||||
| Article | Description |
|
||||
| --- | --- |
|
||||
| [WDAC and AppLocker Overview](wdac-and-applocker-overview.md) | This article describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
|
||||
| [WDAC and AppLocker Feature Availability](feature-availability.md) | This article lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
|
||||
|
||||
## See also
|
||||
## Related articles
|
||||
|
||||
- [WDAC design guide](windows-defender-application-control-design-guide.md)
|
||||
- [WDAC deployment guide](windows-defender-application-control-deployment-guide.md)
|
||||
|
||||
Reference in New Issue
Block a user