deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 12:53:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into lsaldanha-4611645-ESIM

Browse Source
This commit is contained in:
Daniel Simpson
2020-11-06 11:18:44 -08:00
committed by GitHub
parent bec0176899 c55414ff05
commit 2e2e6c92a5
95 changed files with 1252 additions and 445 deletions
Download Patch File Download Diff File Expand all files Collapse all files

697
windows/client-management/mdm/policy-ddf-file.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 06/03/2020
ms.date: 10/28/2020
---
# Policy DDF file
@ -20,6 +20,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Policy*
You can view various Policy DDF files by clicking the following links:
- [View the Policy DDF file for Windows 10, version 20H2](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_20H2.xml)
- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml)
- [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml)
- [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml)
@ -32,7 +33,7 @@ You can view various Policy DDF files by clicking the following links:
You can download DDF files for various CSPs from [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the DDF for Windows 10, version 2004.
The XML below is the DDF for Windows 10, version 20H2.
```xml
<?xml version="1.0" encoding="UTF-8"?>
@ -8713,6 +8714,52 @@ Related policy:
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Multitasking</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>BrowserAltTabBlowout</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Configures the inclusion of Edge tabs into Alt-Tab.</Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Notifications</NodeName>
<DFProperties>
@ -18919,6 +18966,55 @@ Related policy:
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Multitasking</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>BrowserAltTabBlowout</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>Configures the inclusion of Edge tabs into Alt-Tab.</Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues AllowedValues="1,2,3,4"></MSFT:SupportedValues>
<MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
<MSFT:ADMXMapped>multitasking.admx</MSFT:ADMXMapped>
<MSFT:ADMXMappedElement>AltTabFilterDropdown</MSFT:ADMXMappedElement>
<MSFT:ADMXCategory>multitasking~AT~WindowsComponents~MULTITASKING</MSFT:ADMXCategory>
<MSFT:ADMXPolicyName>MultiTaskingAltTabFilter</MSFT:ADMXPolicyName>
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Notifications</NodeName>
<DFProperties>
@ -29757,6 +29853,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DisableCloudOptimizedContent</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy controls Windows experiences that use the cloud optimized content client component. If you enable this policy, they will present only default content. If you disable or do not configure this policy, they will be able to use cloud provided content.</Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DoNotShowFeedbackNotifications</NodeName>
<DFProperties>
@ -38353,6 +38473,60 @@ The options are:
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>LocalUsersAndGroups</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Configure</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This Setting allows an administrator to manage local groups on a Device.
Possible settings:
1. Update Group Membership: Update a group and add and/or remove members though the &apos;U&apos; action.
When using Update, existing group members that are not specified in the policy remain untouched.
2. Replace Group Membership: Restrict a group by replacing group membership through the &apos;R&apos; action.
When using Replace, existing group membership is replaced by the list of members specified in
the add member section. This option works in the same way as a Restricted Group and any group
members that are not specified in the policy are removed.
Caution: If the same group is configured with both Replace and Update, then Replace will win.</Description>
<DFFormat>
<chr/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>LockDown</NodeName>
<DFProperties>
@ -38563,6 +38737,148 @@ The options are:
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>MixedReality</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>AADGroupMembershipCacheValidityInDays</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description></Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>BrightnessButtonDisabled</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description></Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FallbackDiagnostics</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description></Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MicrophoneDisabled</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description></Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>VolumeButtonDisabled</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description></Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>MSSecurityGuide</NodeName>
<DFProperties>
@ -47384,6 +47700,30 @@ If you disable or do not configure this policy setting, the wake setting as spec
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DisableWUfBSafeguards</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description></Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EngagedRestartDeadline</NodeName>
<DFProperties>
@ -48152,6 +48492,30 @@ If you disable or do not configure this policy setting, the wake setting as spec
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SetProxyBehaviorForUpdateDetection</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description></Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>TargetReleaseVersion</NodeName>
<DFProperties>
@ -61298,6 +61662,33 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
<MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>DisableCloudOptimizedContent</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This policy controls Windows experiences that use the cloud optimized content client component. If you enable this policy, they will present only default content. If you disable or do not configure this policy, they will be able to use cloud provided content.</Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues low="0" high="1"></MSFT:SupportedValues>
<MSFT:ADMXMapped>CloudContent.admx</MSFT:ADMXMapped>
<MSFT:ADMXCategory>CloudContent~AT~WindowsComponents~CloudContent</MSFT:ADMXCategory>
<MSFT:ADMXPolicyName>DisableCloudOptimizedContent</MSFT:ADMXPolicyName>
<MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>DoNotShowFeedbackNotifications</NodeName>
<DFProperties>
@ -70811,6 +71202,116 @@ The options are:
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>LocalUsersAndGroups</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Configure</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue></DefaultValue>
<Description>This Setting allows an administrator to manage local groups on a Device.
Possible settings:
1. Update Group Membership: Update a group and add and/or remove members though the &apos;U&apos; action.
When using Update, existing group members that are not specified in the policy remain untouched.
2. Replace Group Membership: Restrict a group by replacing group membership through the &apos;R&apos; action.
When using Replace, existing group membership is replaced by the list of members specified in
the add member section. This option works in the same way as a Restricted Group and any group
members that are not specified in the policy are removed.
Caution: If the same group is configured with both Replace and Update, then Replace will win.</Description>
<DFFormat>
<chr/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
<MSFT:XMLSchema><![CDATA[<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">
<xs:simpleType name="name">
<xs:restriction base="xs:string">
<xs:maxLength value="255" />
</xs:restriction>
</xs:simpleType>
<xs:element name="accessgroup">
<xs:complexType>
<xs:sequence>
<xs:element name="group" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>Group Configuration Action</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="action" type="name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="add" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Group Member to Add</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="member" type="name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="remove" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Group Member to Remove</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="member" type="name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="property" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Group property to configure</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="desc" type="name" use="required"/>
<xs:attribute name="value" type="name" use="required"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="desc" type="name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="GroupConfiguration">
<xs:complexType>
<xs:sequence>
<xs:element name="accessgroup" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Local Group Configuration</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema]]></MSFT:XMLSchema>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>LockDown</NodeName>
<DFProperties>
@ -71027,6 +71528,146 @@ The options are:
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>MixedReality</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>AADGroupMembershipCacheValidityInDays</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description></Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues low="0" high="60"></MSFT:SupportedValues>
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>BrightnessButtonDisabled</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description></Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues low="0" high="1"></MSFT:SupportedValues>
<MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>FallbackDiagnostics</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>2</DefaultValue>
<Description></Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues low="0" high="2"></MSFT:SupportedValues>
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>MicrophoneDisabled</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description></Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues low="0" high="1"></MSFT:SupportedValues>
<MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>VolumeButtonDisabled</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description></Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues low="0" high="1"></MSFT:SupportedValues>
<MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>MSSecurityGuide</NodeName>
<DFProperties>
@ -80733,6 +81374,30 @@ If you disable or do not configure this policy setting, the wake setting as spec
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>DisableWUfBSafeguards</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description></Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues AllowedValues="0,1"></MSFT:SupportedValues>
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>EngagedRestartDeadline</NodeName>
<DFProperties>
@ -81607,6 +82272,34 @@ If you disable or do not configure this policy setting, the wake setting as spec
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>SetProxyBehaviorForUpdateDetection</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description></Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues low="0" high="1"></MSFT:SupportedValues>
<MSFT:ADMXMapped>WindowsUpdate.admx</MSFT:ADMXMapped>
<MSFT:ADMXMappedElement>SetProxyBehaviorForUpdateDetection</MSFT:ADMXMappedElement>
<MSFT:ADMXCategory>WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat</MSFT:ADMXCategory>
<MSFT:ADMXPolicyName>CorpWuURL</MSFT:ADMXPolicyName>
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>TargetReleaseVersion</NodeName>
<DFProperties>

4
windows/deployment/update/waas-delivery-optimization-reference.md
View File

@ -247,9 +247,9 @@ This policy allows you to specify how your client(s) can discover Delivery Optim
- 1 = DHCP Option 235.
- 2 = DHCP Option 235 Force.
with either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set.
With either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set.
Set this policy to designate one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. You can add one or more value either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
Set this policy to designate one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas.
> [!NOTE]
> If you format the DHCP Option ID incorrectly, the client will fall back to the Cache Server Hostname policy value if that value has been set.

1
windows/deployment/update/windows-update-overview.md
View File

@ -27,6 +27,7 @@ Use the following information to get started with Windows Update:
- Learn how to [troubleshoot Windows Update](windows-update-troubleshooting.md)
- Review [common Windows Update errors](windows-update-errors.md) and check out the [error code reference](windows-update-error-reference.md)
- Review [other resources](windows-update-resources.md) to help you use Windows Update
- Review [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) section of Microsoft Blogs.
## Unified Update Platform (UUP) architecture
To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms.

1
windows/security/threat-protection/TOC.md
View File

@ -65,6 +65,7 @@
##### [Remediate vulnerabilities](microsoft-defender-atp/tvm-remediation.md)
##### [Exceptions for security recommendations](microsoft-defender-atp/tvm-exception.md)
##### [Plan for end-of-support software](microsoft-defender-atp/tvm-end-of-support-software.md)
##### [Mitigate zero-day vulnerabilities](microsoft-defender-atp/tvm-zero-day-vulnerabilities.md)
#### [Understand vulnerabilities on your devices]()
##### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
##### [Vulnerabilities in my organization](microsoft-defender-atp/tvm-weaknesses.md)

8
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
View File

@ -22,9 +22,9 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
@ -37,7 +37,7 @@ Watch this video for a quick overview of advanced hunting and a short tutorial t
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.
>[!TIP]
>Use [advanced hunting in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview) to hunt for threats using data from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. [Turn on Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable)
>Use [advanced hunting in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview) to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. [Turn on Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable)
## Get started with advanced hunting
@ -61,7 +61,7 @@ We recommend going through several steps to quickly get up and running with adva
Advanced hunting data can be categorized into two distinct types, each consolidated differently.
- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Microsoft Defender ATP.
- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Defender for Endpoint.
- **Entity data**—populates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
## Time zone

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
View File

@ -22,9 +22,9 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto operators and statements to construct queries that locate information in a specialized [schema](advanced-hunting-schema-reference.md). To understand these concepts better, run your first query.

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
View File

@ -23,9 +23,9 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
While you can construct your [advanced hunting](advanced-hunting-overview.md) queries to return very precise information, you can also work with the query results to gain further insight and investigate specific activities and indicators. You can take the following actions on your query results:

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
View File

@ -24,9 +24,9 @@ ms.date: 01/14/2020
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
View File

@ -23,9 +23,9 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
[Advanced hunting](advanced-hunting-overview.md) queries can be shared among users in the same organization. You can also find queries shared publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch.

8
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md
View File

@ -21,9 +21,9 @@ ms.date: 09/20/2020
# Take action on advanced hunting query results
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
You can quickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md) using powerful and comprehensive action options. With these options, you can:
@ -32,7 +32,7 @@ You can quickly contain threats or address compromised assets that you find in [
## Required permissions
To be able to take action through advanced hunting, you need a role in Microsoft Defender ATP with [permissions to submit remediation actions on devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options). If you can't take action, contact a global administrator about getting the following permission:
To be able to take action through advanced hunting, you need a role in Defender for Endpoint with [permissions to submit remediation actions on devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options). If you can't take action, contact a global administrator about getting the following permission:
*Active remediation actions > Threat and vulnerability management - Remediation handling*
@ -46,7 +46,7 @@ You can take the following actions on devices identified by the `DeviceId` colum
- Initiate an automated investigation to check and remediate threats on the device and possibly other affected devices
- Restrict app execution to only Microsoft-signed executable files, preventing subsequent threat activity through malware or other untrusted executables
To learn more about how these response actions are performed through Microsoft Defender ATP, [read about response actions on devices](respond-machine-alerts.md).
To learn more about how these response actions are performed through Defender for Endpoint, [read about response actions on devices](respond-machine-alerts.md).
## Quarantine files

26
windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
View File

@ -18,16 +18,16 @@ ms.topic: article
ms.date: 03/27/2020
---
# View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
# View and organize the Microsoft Defender for Endpoint Alerts queue
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
The **Alerts queue** shows a list of alerts that were flagged from devices in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first.
@ -61,15 +61,15 @@ Informational </br>(Grey) | Alerts that might not be considered harmful to the n
#### Understanding alert severity
Microsoft Defender Antivirus (Microsoft Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes.
Microsoft Defender Antivirus (Microsoft Defender AV) and Defender for Endpoint alert severities are different because they represent different scopes.
The Microsoft Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual device, if infected.
The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the device but more importantly the potential risk to the organization.
The Defender for Endpoint alert severity represents the severity of the detected behavior, the actual risk to the device but more importantly the potential risk to the organization.
So, for example:
- The severity of a Microsoft Defender ATP alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage.
- The severity of a Defender for Endpoint alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage.
- An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender AV, is categorized as "Low" because it may have caused some damage to the individual device but poses no organizational threat.
- An alert about malware detected while executing which can pose a threat not only to the individual device but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
- Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
@ -138,11 +138,11 @@ Use this filter to focus on alerts that are related to high profile threats. You
## Related topics
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md)
- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender for Endpoint alert](investigate-files.md)
- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md)
- [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md)
- [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md)

4
windows/security/threat-protection/microsoft-defender-atp/alerts.md
View File

@ -21,9 +21,9 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## Methods

24
windows/security/threat-protection/microsoft-defender-atp/android-configure.md
View File

@ -20,39 +20,39 @@ ms.collection:
ms.topic: conceptual
---
# Configure Microsoft Defender ATP for Android features
# Configure Defender for Endpoint for Android features
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md)
## Conditional Access with Microsoft Defender ATP for Android
Microsoft Defender ATP for Android along with Microsoft Intune and Azure Active
## Conditional Access with Defender for Endpoint for Android
Microsoft Defender for Endpoint for Android along with Microsoft Intune and Azure Active
Directory enables enforcing Device compliance and Conditional Access policies
based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense
based on device risk levels. Defender for Endpoint is a Mobile Threat Defense
(MTD) solution that you can deploy to leverage this capability via Intune.
For more information about how to set up Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
For more information about how to set up Defender for Endpoint for Android and Conditional Access, see [Defender for Endpoint and
Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
## Configure custom indicators
>[!NOTE]
> Microsoft Defender ATP for Android only supports creating custom indicators for IP addresses and URLs/domains.
> Defender for Endpoint for Android only supports creating custom indicators for IP addresses and URLs/domains.
Microsoft Defender ATP for Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Manage indicators](manage-indicators.md).
Defender for Endpoint for Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Manage indicators](manage-indicators.md).
## Configure web protection
Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.
Defender for Endpoint for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.
>[!NOTE]
> Microsoft Defender ATP for Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
> Defender for Endpoint for Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-manage-android).
## Related topics
- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
- [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md)
- [Overview of Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md)
- [Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune](android-intune.md)

69
windows/security/threat-protection/microsoft-defender-atp/android-intune.md
View File

@ -20,31 +20,31 @@ ms.collection:
ms.topic: conceptual
---
# Deploy Microsoft Defender ATP for Android with Microsoft Intune
# Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
- [Defender for Endpoint](microsoft-defender-atp-android.md)
This topic describes deploying Microsoft Defender ATP for Android on Intune
This topic describes deploying Defender for Endpoint for Android on Intune
Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll your
device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal).
> [!NOTE]
> **Microsoft Defender ATP for Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx)** <br>
> You can connect to Google Play from Intune to deploy Microsoft Defender ATP app across Device Administrator and Android Enterprise entrollment modes.
> **Defender for Endpoint for Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx)** <br>
> You can connect to Google Play from Intune to deploy Defender for Endpoint app across Device Administrator and Android Enterprise entrollment modes.
Updates to the app are automatic via Google Play.
## Deploy on Device Administrator enrolled devices
**Deploy Microsoft Defender ATP for Android on Intune Company Portal - Device
**Deploy Defender for Endpoint for Android on Intune Company Portal - Device
Administrator enrolled devices**
This topic describes how to deploy Microsoft Defender ATP for Android on Intune Company Portal - Device Administrator enrolled devices.
This topic describes how to deploy Defender for Endpoint for Android on Intune Company Portal - Device Administrator enrolled devices.
### Add as Android store app
@ -60,13 +60,13 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
- **Name**
- **Description**
- **Publisher** as Microsoft.
- **Appstore URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Microsoft Defender ATP app Google Play Store URL)
- **Appstore URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Defender for Endpoint app Google Play Store URL)
Other fields are optional. Select **Next**.
![Image of Microsoft Endpoint Manager Admin Center](images/mda-addappinfo.png)
3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Microsoft Defender ATP for Android app. Click **Select** and then **Next**.
3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint for Android app. Click **Select** and then **Next**.
>[!NOTE]
>The selected user group should consist of Intune enrolled users.
@ -77,7 +77,7 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
4. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
In a few moments, the Microsoft Defender ATP app would be created successfully, and a notification would show up at the top-right corner of the page.
In a few moments, the Defender for Endpoint app would be created successfully, and a notification would show up at the top-right corner of the page.
![Image of Microsoft Endpoint Manager Admin Center](images/86cbe56f88bb6e93e9c63303397fc24f.png)
@ -92,21 +92,21 @@ completed successfully.
### Complete onboarding and check status
1. Once Microsoft Defender ATP for Android has been installed on the device, you'll see the app icon.
1. Once Defender for Endpoint for Android has been installed on the device, you'll see the app icon.
![Icon on mobile device](images/7cf9311ad676ec5142002a4d0c2323ca.jpg)
2. Tap the Microsoft Defender ATP app icon and follow the on-screen instructions
to complete onboarding the app. The details include end-user acceptance of Android permissions required by Microsoft Defender ATP for Android.
to complete onboarding the app. The details include end-user acceptance of Android permissions required by Defender for Endpoint for Android.
3. Upon successful onboarding, the device will start showing up on the Devices
list in Microsoft Defender Security Center.
![Image of device in Microsoft Defender ATP portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png)
![Image of device in Defender for Endpoint portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png)
## Deploy on Android Enterprise enrolled devices
Microsoft Defender ATP for Android supports Android Enterprise enrolled devices.
Defender for Endpoint for Android supports Android Enterprise enrolled devices.
For more information on the enrollment options supported by Intune, see
[Enrollment
@ -116,10 +116,9 @@ Currently only Personal devices with Work Profile enrolled are supported for de
## Add Microsoft Defender ATP for Android as a Managed Google Play app
## Add Microsoft Defender for Endpoint for Android as a Managed Google Play app
Follow the steps below to add Microsoft
Defender ATP app into your managed Google Play.
Follow the steps below to add Microsoft Defender for Endpoint app into your managed Google Play.
1. In [Microsoft Endpoint Manager admin
center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
@ -131,27 +130,26 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
2. On your managed Google Play page that loads subsequently, go to the search
box and lookup **Microsoft Defender.** Your search should display the Microsoft
Defender ATP app in your Managed Google Play. Click on the Microsoft Defender
ATP app from the Apps search result.
Defender for Endpoint app in your Managed Google Play. Click on the Microsoft Defender for Endpoint app from the Apps search result.
![Image of Microsoft Endpoint Manager admin center](images/0f79cb37900b57c3e2bb0effad1c19cb.png)
3. In the App description page that comes up next, you should be able to see app
details on Microsoft Defender ATP. Review the information on the page and then
details on Defender for Endpoint. Review the information on the page and then
select **Approve**.
> [!div class="mx-imgBorder"]
> ![A screenshot of a Managed Google Play](images/07e6d4119f265037e3b80a20a73b856f.png)
4. You should now be presented with the permissions that Microsoft Defender ATP
4. You should now be presented with the permissions that Defender for Endpoint
obtains for it to work. Review them and then select **Approve**.
![A screenshot of Microsoft Defender ATP preview app approval](images/206b3d954f06cc58b3466fb7a0bd9f74.png)
![A screenshot of Defender for Endpoint preview app approval](images/206b3d954f06cc58b3466fb7a0bd9f74.png)
5. You'll be presented with the Approval settings page. The page confirms
your preference to handle new app permissions that Microsoft Defender ATP for
your preference to handle new app permissions that Defender for Endpoint for
Android might ask. Review the choices and select your preferred option. Select
**Done**.
@ -162,8 +160,8 @@ permissions*
> ![Image of notifications tab](images/ffecfdda1c4df14148f1526c22cc0236.png)
6. After the permissions handling selection is made, select **Sync** to sync
Microsoft Defender ATP to your apps list.
6. After the permissions handling selection is made, select **Sync** to sync Microsoft
Defender for Endpoint to your apps list.
> [!div class="mx-imgBorder"]
> ![Image of sync page](images/34e6b9a0dae125d085c84593140180ed.png)
@ -180,7 +178,7 @@ Defender ATP should be visible in the apps list.
> ![Image of list of Android apps](images/fa4ac18a6333335db3775630b8e6b353.png)
9. Microsoft Defender ATP supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s).
9. Defender for Endpoint supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s).
1. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**.
@ -213,7 +211,7 @@ Defender ATP should be visible in the apps list.
> ![Image of create app configuration policy](images/android-auto-grant.png)
1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender ATP Android app.
1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app.
> [!div class="mx-imgBorder"]
> ![Image of create app configuration policy](images/android-select-group.png)
@ -221,7 +219,7 @@ Defender ATP should be visible in the apps list.
1. In the **Review + Create** page that comes up next, review all the information and then select **Create**. <br>
The app configuration policy for Microsoft Defender ATP auto-granting the storage permission is now assigned to the selected user group.
The app configuration policy for Defender for Endpoint auto-granting the storage permission is now assigned to the selected user group.
> [!div class="mx-imgBorder"]
> ![Image of create app configuration policy](images/android-review-create.png)
@ -248,7 +246,7 @@ assignment.
## Complete onboarding and check status
1. Confirm the installation status of Microsoft Defender ATP for Android by
1. Confirm the installation status of Microsoft Defender for Endpoint for Android by
clicking on the **Device Install Status**. Verify that the device is
displayed here.
@ -257,23 +255,22 @@ displayed here.
2. On the device, you can confirm the same by going to the **work profile** and
confirm that Microsoft Defender ATP is available.
confirm that Defender for Endpoint is available.
![Image of app in mobile device](images/c2e647fc8fa31c4f2349c76f2497bc0e.png)
3. When the app is installed, open the app and accept the permissions
and then your onboarding should be successful.
![Image of mobile device with Microsoft Defender ATP app](images/mda-devicesafe.png)
![Image of mobile device with Microsoft Defender for Endpoint app](images/mda-devicesafe.png)
4. At this stage the device is successfully onboarded onto Microsoft Defender
ATP for Android. You can verify this on the [Microsoft Defender Security
4. At this stage the device is successfully onboarded onto Defender for Endpoint for Android. You can verify this on the [Microsoft Defender Security
Center](https://securitycenter.microsoft.com)
by navigating to the **Devices** page.
![Image of Microsoft Defender ATP portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png)
![Image of Microsoft Defender for Endpoint portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png)
## Related topics
- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
- [Configure Microsoft Defender ATP for Android features](android-configure.md)
- [Overview of Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md)
- [Configure Microsoft Defender for Endpoint for Android features](android-configure.md)

13
windows/security/threat-protection/microsoft-defender-atp/android-privacy.md
View File

@ -17,23 +17,22 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Microsoft Defender ATP for Android - Privacy information
# Microsoft Defender for Endpoint for Android - Privacy information
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md)
Microsoft Defender ATP for Android collects information from your configured
Android devices and stores it in the same tenant where you have Microsoft
Defender ATP.
Defender for Endpoint for Android collects information from your configured
Android devices and stores it in the same tenant where you have Defender for Endpoint.
Information is collected to help keep Microsoft Defender ATP for Android secure,
Information is collected to help keep Defender for Endpoint for Android secure,
up-to-date, performing as expected and to support the service.
## Required Data
Required data consists of data that is necessary to make Microsoft Defender ATP
Required data consists of data that is necessary to make Defender for Endpoint
for Android work as expected. This data is essential to the operation of the
service and can include data related to the end user, organization, device, and
apps. Here's a list of the types of data being collected:

9
windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
View File

@ -20,15 +20,14 @@ ms.collection:
ms.topic: conceptual
---
# Troubleshooting issues on Microsoft Defender ATP for Android
# Troubleshooting issues on Microsoft Defender for Endpoint for Android
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for
Android](microsoft-defender-atp-android.md)
- [Defender for Endpoint](microsoft-defender-atp-android.md)
During onboarding, you might encounter sign in issues after the app is installed on your device.
@ -77,7 +76,7 @@ Contact your administrator for help.
- **Xiaomi**
Phishing and harmful web connection threats detected by Microsoft Defender ATP
Phishing and harmful web connection threats detected by Defender for Endpoint
for Android are not blocked on some Xiaomi devices. The following functionality does not work on these devices.
![Image of site reported unsafe](images/0c04975c74746a5cdb085e1d9386e713.png)
@ -85,7 +84,7 @@ for Android are not blocked on some Xiaomi devices. The following functionality
**Cause:**
Xiaomi devices introduced a new permission that prevents Microsoft Defender ATP
Xiaomi devices introduced a new permission that prevents Defender for Endpoint
for Android app from displaying pop-up windows while running in the background.
Xiaomi devices permission: "Display pop-up windows while running in the

9
windows/security/threat-protection/microsoft-defender-atp/android-terms.md
View File

@ -19,15 +19,15 @@ ms.topic: conceptual
hideEdit: true
---
# Microsoft Defender ATP for Android application license terms
# Microsoft Defender for Endpoint for Android application license terms
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
- [Microsoft Defender for Endpoint](microsoft-defender-atp-android.md)
## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER ATP
## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER FOR ENDPOINT
These license terms ("Terms") are an agreement between Microsoft Corporation (or
based on where you live, one of its affiliates) and you. Please read them. They
@ -54,7 +54,7 @@ DO NOT USE THE APPLICATION.**
1. **Installation and Use.** You may install and use any number of copies
of this application on Android enabled device or devices that you own
or control. You may use this application with your company's valid
subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or
subscription of Microsoft Defender for Endpoint or
an online service that includes MDATP functionalities.
2. **Updates.** Updates or upgrades to MDATP may be required for full
@ -139,6 +139,7 @@ DO NOT USE THE APPLICATION.**
export laws and regulations that apply to the application. These laws
include restrictions on destinations, end users, and end use. For more
information,
see [www.microsoft.com/exporting](https://www.microsoft.com/exporting).
7. **SUPPORT SERVICES.** Because this application is "as is," we may not

10
windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
View File

@ -25,11 +25,11 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs interactively.
The Microsoft Defender for Endpoint API Explorer is a tool that helps you explore various Defender for Endpoint APIs interactively.
The API Explorer makes it easy to construct and do API queries, test, and send requests for any available Microsoft Defender ATP API endpoint. Use the API Explorer to take actions or find data that might not yet be available through the user interface.
The API Explorer makes it easy to construct and do API queries, test, and send requests for any available Defender for Endpoint API endpoint. Use the API Explorer to take actions or find data that might not yet be available through the user interface.
The tool is useful during app development. It allows you to perform API queries that respect your user access settings, reducing the need to generate access tokens.
@ -47,7 +47,7 @@ From the left navigation menu, select **Partners & APIs** > **API Explorer**.
## Supported APIs
API Explorer supports all the APIs offered by Microsoft Defender ATP.
API Explorer supports all the APIs offered by Defender for Endpoint.
The list of supported APIs is available in the [APIs documentation](apis-intro.md).
@ -61,7 +61,7 @@ Some of the samples may require specifying a parameter in the URL, for example,
## FAQ
**Do I need to have an API token to use the API Explorer?** <br>
Credentials to access an API aren't needed. The API Explorer uses the Microsoft Defender ATP management portal token whenever it makes a request.
Credentials to access an API aren't needed. The API Explorer uses the Defender for Endpoint management portal token whenever it makes a request.
The logged-in user authentication credential is used to verify that the API Explorer is authorized to access data on your behalf.

14
windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
View File

@ -17,14 +17,14 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Microsoft Defender ATP API - Hello World
# Microsoft Defender for Endpoint API - Hello World
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## Get Alerts using a simple PowerShell script
@ -47,7 +47,7 @@ For the Application registration stage, you must have a **Global administrator**
3. In the registration form, choose a name for your application and then click **Register**.
4. Allow your Application to access Microsoft Defender ATP and assign it **'Read all alerts'** permission:
4. Allow your Application to access Defender for Endpoint and assign it **'Read all alerts'** permission:
- On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
@ -177,6 +177,6 @@ Youre all done! You have just successfully:
## Related topic
- [Microsoft Defender ATP APIs](exposed-apis-list.md)
- [Access Microsoft Defender ATP with application context](exposed-apis-create-app-webapp.md)
- [Access Microsoft Defender ATP with user context](exposed-apis-create-app-nativeapp.md)
- [Microsoft Defender for Endpoint APIs](exposed-apis-list.md)
- [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md)
- [Access Microsoft Defender for Endpoint with user context](exposed-apis-create-app-nativeapp.md)

6
windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
View File

@ -22,9 +22,9 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional cyber defenders forces SOC to work in the most efficient way and automation is a must. Microsoft Power Automate supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within a few minutes.
@ -81,4 +81,4 @@ The Alert trigger provides only the Alert ID and the Machine ID. You can use the
You can also create a **scheduled** flow that runs Advanced Hunting queries and much more!
## Related topic
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Microsoft Defender for Endpoint APIs](apis-intro.md)

24
windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
View File

@ -17,28 +17,28 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Microsoft Defender ATP detections API fields
# Microsoft Defender for Endpoint detections API fields
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center.
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
>- [Defender for Endpoint Alert](alerts.md) is composed from one or more detections.
>- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Device and its related **Alert** details.
>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
>- The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
## Detections API fields and portal mapping
The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
The ArcSight field column contains the default mapping between the Defender for Endpoint fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md).
Field numbers match the numbers in the images below.
@ -49,12 +49,12 @@ Field numbers match the numbers in the images below.
> | 1 | AlertTitle | name | Microsoft Defender AV detected 'Mikatz' high-severity malware | Value available for every Detection. |
> | 2 | Severity | deviceSeverity | High | Value available for every Detection. |
> | 3 | Category | deviceEventCategory | Malware | Value available for every Detection. |
> | 4 | Detection source | sourceServiceName | Antivirus | Microsoft Defender Antivirus or Microsoft Defender ATP. Value available for every Detection. |
> | 4 | Detection source | sourceServiceName | Antivirus | Microsoft Defender Antivirus or Defender for Endpoint. Value available for every Detection. |
> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every Detection. |
> | 6 | FileName | fileName | Robocopy.exe | Available for detections associated with a file or process. |
> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for detections associated with a file or process. |
> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based detections. |
> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based detections. |
> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Defender for Endpoint behavioral based detections. |
> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Defender for Endpoint behavioral based detections. |
> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for detections associated with a file or process. |
> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Microsoft Defender AV detections. |
> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Microsoft Defender AV detections. |
@ -97,7 +97,7 @@ Field numbers match the numbers in the images below.
## Related topics
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
- [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md)
- [Configure ArcSight to pull Microsoft Defender for Endpoint detections](configure-arcsight.md)
- [Pull Microsoft Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)

8
windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
View File

@ -22,11 +22,11 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
In this section you will learn create a Power BI report on top of Microsoft Defender ATP APIs.
In this section you will learn create a Power BI report on top of Defender for Endpoint APIs.
The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs, such as Machine Actions or Alerts.
@ -133,6 +133,6 @@ View the Microsoft Defender ATP Power BI report samples. For more information, s
## Related topic
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Defender for Endpoint APIs](apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md)
- [Using OData Queries](exposed-apis-odata-samples.md)

4
windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
View File

@ -16,14 +16,14 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Microsoft Defender ATP API license and terms of use
# Microsoft Defender for Endpoint API license and terms of use
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
## APIs
Microsoft Defender ATP APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use).
Defender for Endpoint APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use).
### Throttling limits

25
windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
View File

@ -17,33 +17,33 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Access the Microsoft Defender Advanced Threat Protection APIs
# Access the Microsoft Defender for Endpoint APIs
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
Watch this video for a quick overview of Microsoft Defender ATP's APIs.
Watch this video for a quick overview of Defender for Endpoint's APIs.
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M]
In general, youll need to take the following steps to use the APIs:
- Create an AAD application
- Get an access token using this application
- Use the token to access Microsoft Defender ATP API
- Use the token to access Defender for Endpoint API
You can access Microsoft Defender ATP API with **Application Context** or **User Context**.
You can access Defender for Endpoint API with **Application Context** or **User Context**.
- **Application Context: (Recommended)** <br>
Used by apps that run without a signed-in user present. for example, apps that run as background services or daemons.
Steps that need to be taken to access Microsoft Defender ATP API with application context:
Steps that need to be taken to access Defender for Endpoint API with application context:
1. Create an AAD Web-Application.
2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'.
@ -57,7 +57,8 @@ You can access Microsoft Defender ATP API with **Application Context** or **User
- **User Context:** <br>
Used to perform actions in the API on behalf of a user.
Steps that need to be taken to access Microsoft Defender ATP API with user context:
Steps to take to access Defender for Endpoint API with application context:
1. Create AAD Native-Application.
2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc.
3. Get token using the application with user credentials.
@ -67,6 +68,6 @@ You can access Microsoft Defender ATP API with **Application Context** or **User
## Related topics
- [Microsoft Defender ATP APIs](exposed-apis-list.md)
- [Access Microsoft Defender ATP with application context](exposed-apis-create-app-webapp.md)
- [Access Microsoft Defender ATP with user context](exposed-apis-create-app-nativeapp.md)
- [Microsoft Defender for Endpoint APIs](exposed-apis-list.md)
- [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md)
- [Access Microsoft Defender for Endpoint with user context](exposed-apis-create-app-nativeapp.md)

8
windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
View File

@ -26,11 +26,11 @@ ms.date: 11/28/2018
**Applies to:**
- Azure Active Directory
- Office 365
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
Microsoft Defender ATP supports two ways to manage permissions:
Defender for Endpoint supports two ways to manage permissions:
- **Basic permissions management**: Set permissions to either full access or read-only.
- **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac.md).
@ -38,7 +38,7 @@ Microsoft Defender ATP supports two ways to manage permissions:
> [!NOTE]
> If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch:
>
> - Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Microsoft Defender ATP administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Microsoft Defender ATP administrator role after switching to RBAC. Only users assigned to the Microsoft Defender ATP administrator role can manage permissions using RBAC.
> - Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Defender for Endpoint administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Defender for Endpoint administrator role after switching to RBAC. Only users assigned to the Defender for Endpoint administrator role can manage permissions using RBAC.
> - Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC.
> - After switching to RBAC, you will not be able to switch back to using basic permissions management.

14
windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
View File

@ -18,22 +18,22 @@ ms.topic: article
ms.date: 11/20/2018
---
# Experience Microsoft Defender ATP through simulated attacks
# Experience Microsoft Defender for Endpoint through simulated attacks
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
>[!TIP]
>- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
>- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Defender for Endpoint?](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
You might want to experience Microsoft Defender ATP before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Microsoft Defender ATP surfaces malicious activity and explore how it enables an efficient response.
You might want to experience Defender for Endpoint before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Defender for Endpoint surfaces malicious activity and explore how it enables an efficient response.
## Before you begin
@ -61,7 +61,7 @@ Read the walkthrough document provided with each attack scenario. Each document
> Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test device.
>
>
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink)
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink)
## Related topics

16
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
View File

@ -23,7 +23,7 @@ ms.custom: asr
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
## Is attack surface reduction (ASR) part of Windows?
@ -43,7 +43,7 @@ Yes. ASR is supported for Windows Enterprise E3 and above.
All of the rules supported with E3 are also supported with E5.
E5 also added greater integration with Microsoft Defender ATP. With E5, you can [use Microsoft Defender ATP to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports.
E5 also added greater integration with Defender for Endpoint. With E5, you can [use Defender for Endpoint to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports.
## What are the currently supported ASR rules?
@ -75,13 +75,13 @@ Larger organizations should consider rolling out ASR rules in "rings," by auditi
Keep the rule in audit mode for about 30 days to get a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them.
## I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an "easy" way to export rules from another security solution to ASR?
## I'm making the switch from a third-party security solution to Defender for Endpoint. Is there an "easy" way to export rules from another security solution to ASR?
In most cases, it's easier and better to start with the baseline recommendations suggested by [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs.
In most cases, it's easier and better to start with the baseline recommendations suggested by [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Defender for Endpoint) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs.
The default configuration for most ASR rules, combined with Microsoft Defender ATP's real-time protection, will protect against a large number of exploits and vulnerabilities.
The default configuration for most ASR rules, combined with Defender for Endpoint's real-time protection, will protect against a large number of exploits and vulnerabilities.
From within Microsoft Defender ATP, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked.
From within Defender for Endpoint, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked.
## Does ASR support file or folder exclusions that include system variables and wildcards in the path?
@ -95,9 +95,9 @@ It depends on the rule. Most ASR rules cover the behavior of Microsoft Office pr
ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking at this time.
## I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline?
## I have an E5 license and enabled some ASR rules in conjunction with Defender for Endpoint. Is it possible for an ASR event to not show up at all in Defender for Endpoint's event timeline?
Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Microsoft Defender ATP portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Microsoft Defender ATP.
Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Defender for Endpoint portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Defender for Endpoint.
## I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'.

10
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
View File

@ -24,7 +24,7 @@ ms.date: 10/08/2020
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Your attack surface is the total number of places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means offering attackers fewer ways to perform attacks.
@ -50,13 +50,13 @@ You can set attack surface reduction rules for devices running any of the follow
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
## Review attack surface reduction events in the Microsoft Defender Security Center
Microsoft Defender ATP provides detailed reporting for events and blocks, as part of its alert investigation scenarios.
Defender for Endpoint provides detailed reporting for events and blocks, as part of its alert investigation scenarios.
You can query Microsoft Defender ATP data by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
You can query Defender for Endpoint data by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
Here is an example query:
@ -87,7 +87,7 @@ This will create a custom view that filters events to only show the following, a
|1121 | Event when rule fires in Block-mode |
|1122 | Event when rule fires in Audit-mode |
The "engine version" listed for attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not by the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all devices with Windows 10 installed.
The "engine version" listed for attack surface reduction events in the event log, is generated by Defender for Endpoint, not by the operating system. Defender for Endpoint is integrated with Windows 10, so this feature works on all devices with Windows 10 installed.
## Attack surface reduction rules

6
windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
View File

@ -15,14 +15,14 @@ ms.reviewer:
manager: dansimp
---
# Test how Microsoft Defender ATP features work in audit mode
# Test how Microsoft Defender for Endpoint features work in audit mode
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature.
@ -32,7 +32,7 @@ The features won't block or prevent apps, scripts, or files from being modified.
To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**.
You can use Microsoft Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
You can use Defender for Endpoint to get greater details for each event, especially for investigating attack surface reduction rules. Using the Defender for Endpoint console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
This article provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.

4
windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
audience: ITPro
ms.date: 08/25/2020
ms.date: 11/05/2020
ms.reviewer: v-maave
manager: dansimp
ms.custom: asr
@ -42,7 +42,7 @@ Apps can also be manually added to the trusted list via Configuration Manager an
Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
The protected folders include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.

6
windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md
View File

@ -21,9 +21,9 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
@ -36,7 +36,7 @@ Retrieves specific [Investigation](investigation.md) by its ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---

6
windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
View File

@ -21,9 +21,9 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
@ -35,7 +35,7 @@ Retrieves a collection of alerts related to a given IP address.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---

6
windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
View File

@ -21,9 +21,9 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
@ -35,7 +35,7 @@ Retrieves the statistics for the given IP.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---

2
windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
View File

@ -25,7 +25,7 @@ ROBOTS: NOINDEX
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Retrieves a collection of KB's and KB details.

6
windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
View File

@ -21,9 +21,9 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
@ -36,7 +36,7 @@ Retrieves specific [Machine](machine.md) by its device ID or computer name.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---

6
windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
View File

@ -21,9 +21,9 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
@ -31,7 +31,7 @@ Retrieves a collection of alerts related to a given domain address.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---

6
windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
View File

@ -21,9 +21,9 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
@ -36,7 +36,7 @@ Retrieves a collection of logged on users on a specific device.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---

4
windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
View File

@ -21,9 +21,9 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description

6
windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
View File

@ -21,9 +21,9 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
@ -35,7 +35,7 @@ Retrieves specific [Machine Action](machineaction.md) by its ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---

10
windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
View File

@ -21,16 +21,16 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves a collection of [Machine Actions](machineaction.md).
<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
<br>The OData's ```$filter``` query is supported on: ```status```, ```machineId```, ```type```, ```requestor``` and ```creationDateTimeUtc``` properties.
<br>See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
<br>See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
## Limitations
@ -39,7 +39,7 @@ Retrieves a collection of [Machine Actions](machineaction.md).
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
@ -193,4 +193,4 @@ Content-type: application/json
```
## Related topics
- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
- [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)

2
windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
View File

@ -25,7 +25,7 @@ ms.date: 10/07/2018
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Retrieves a collection of RBAC device groups.

4
windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
View File

@ -23,14 +23,14 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieve a list of device references that has this software installed.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
Permission type | Permission | Permission display name
:---|:---|:---

5
windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
View File

@ -21,14 +21,15 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a list of devices affected by a vulnerability.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
Permission type | Permission | Permission display name
:---|:---|:---

10
windows/security/threat-protection/microsoft-defender-atp/get-machines.md
View File

@ -21,16 +21,16 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender ATP cloud.
Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender for Endpoint cloud.
<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
<br>The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
<br>See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
<br>See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md)
## Limitations
@ -122,4 +122,4 @@ Content-type: application/json
```
## Related topics
- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
- [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)

2
windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
View File

@ -24,7 +24,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Retrieves a collection of devices security states.

4
windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
View File

@ -21,9 +21,9 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Retrieves missing KBs (security updates) by device ID

6
windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
View File

@ -21,15 +21,15 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Retrieves missing KBs (security updates) by software ID
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
Permission type | Permission | Permission display name
:---|:---|:---

4
windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
View File

@ -21,9 +21,9 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description

3
windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
View File

@ -20,8 +20,7 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
[!include[Prerelease information](../../includes/prerelease.md)]

5
windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
View File

@ -21,14 +21,15 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a list of devices associated with the security recommendation.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
Permission type | Permission | Permission display name
:---|:---|:---

5
windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
View File

@ -21,14 +21,15 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a security recommendation related to a specific software.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
Permission type | Permission | Permission display name
:---|:---|:---

5
windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
View File

@ -21,14 +21,15 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a list of vulnerabilities associated with the security recommendation.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
Permission type | Permission | Permission display name
:---|:---|:---

5
windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
View File

@ -21,14 +21,15 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a collection of security recommendations related to a given device ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---

4
windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
View File

@ -23,14 +23,14 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves software details by ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
Permission type | Permission | Permission display name
:---|:---|:---

4
windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
View File

@ -23,14 +23,14 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a list of your organization's software version distribution.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
Permission type | Permission | Permission display name
:---|:---|:---

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-patch.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.5 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-security-recommendation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 41 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout-400.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 106 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-inventory.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-page.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-security-recommendations.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-software.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-weakness-name.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

103
windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md Normal file
View File

@ -0,0 +1,103 @@
---
title: Mitigate zero-day vulnerabilities - threat and vulnerability management
description: Learn how to find and mitigate zero-day vulnerabilities in your environment through threat and vulnerability management.
keywords: mdatp tvm zero day vulnerabilities, tvm, threat & vulnerability management, zero day, 0-day, mitigate 0 day vulnerabilities, vulnerable CVE
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: article
---
# Mitigate zero-day vulnerabilities - threat and vulnerability management
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
A zero-day vulnerability is a publicly disclosed vulnerability for which no official patches or security updates have been released. Zero-day vulnerabilities often have high severity levels and are actively exploited.
Threat and vulnerability management will only display zero-day vulnerabilities it has information about.
## Find information about zero-day vulnerabilities
Once a zero-day vulnerability has been found, information about it will be conveyed through the following experiences in the Microsoft Defender Security Center.
### Threat and vulnerability management dashboard
Look for recommendations with a zero-day tag in the “Top security recommendations” card.
![Top recommendations with a zero-day tag.](images/tvm-zero-day-top-security-recommendations.png)
Find top software with the zero-day tag in the "Top vulnerable software" card.
![Top vulnerable software with a zero-day tag.](images/tvm-zero-day-top-software.png)
### Weaknesses page
Look for the named zero-day vulnerability along with a description and details.
- If this vulnerability has a CVE-ID assigned, youll see the zero-day label next to the CVE name.
- If this vulnerability has no CVE-ID assigned, you will find it under an internal, temporary name that looks like “TVM-XXXX-XXXX”. The name will be updated once an official CVE-ID has been assigned, but the previous internal name will still be searchable and found in the side-panel.
![Zero day example for CVE-2020-17087 in weaknesses page.](images/tvm-zero-day-weakness-name.png)
### Software inventory page
Look for software with the zero-day tag. Filter by the "zero day" tag to only see software with zero-day vulnerabilities.
![Zero day example of Windows Server 2016 in the software inventory page.](images/tvm-zero-day-software-inventory.png)
### Software page
Look for a zero-day tag for each software that has been affected by the zeroday vulnerability.
![Zero day example for Windows Server 2016 software page.](images/tvm-zero-day-software-page.png)
### Security recommendations page
View clear suggestions regarding remediation and mitigation options, including workarounds if they exist. Filter by the "zero day" tag to only see security recommendations addressing zero-day vulnerabilities.
If there is software with a zero-day vulnerability and additional vulnerabilities to address, you will get one recommendation regarding all vulnerabilities.
![Zero day example of Windows Server 2016 in the security recommendations page.](images/tvm-zero-day-security-recommendation.png)
## Addressing zero-day vulnerabilities
Go to the security recommendation page and select a recommendation with a zero-day. A flyout will open with information about the zero-day and other vulnerabilities for that software.
There will be a link to mitigation options and workarounds if they are available. Workarounds may help reduce the risk posed by this zero-day vulnerability until a patch or security update can be deployed.
Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose “update.”
![Zero day flyout example of Windows Server 2016 in the security recommendations page.](images/tvm-zero-day-software-flyout-400.png)
## Patching zero-day vulnerabilities
When a patch is released for the zero-day, the recommendation will be changed to “Update” and a blue label next to it that says “New security update for zero day.” It will no longer consider as a zero-day, the zero-day tag will be removed from all pages.
![Recommendation for "Update Microsoft Windows 10" with new patch label.](images/tvm-zero-day-patch.jpg)
## Related topics
- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
- [Dashboard](tvm-dashboard-insights.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Software inventory](tvm-software-inventory.md)
- [Vulnerabilities in my organization](tvm-weaknesses.md)

8
windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
View File

@ -46,12 +46,12 @@ This setting has these possible values:
For a local logon, the user's full name is displayed.
If the user signed in using a Microsoft account, the user's email address is displayed.
For a domain logon, the domain\username is displayed.
This has the same effect as turning on the **Privacy** setting.
This setting has the same effect as turning on the **Privacy** setting.
- **User display name only**
The full name of the user who locked the session is displayed.
This has the same effect as turning off the **Privacy** setting.
This setting has the same effect as turning off the **Privacy** setting.
- **Do not display user information**
@ -69,7 +69,7 @@ This setting has these possible values:
- **Blank**
Default setting.
This translates to “Not defined,” but it will display the users full name in the same manner as the option **User display name only**.
This setting translates to “Not defined,” but it will display the user's full name in the same manner as the option **User display name only**.
When an option is set, you cannot reset this policy to blank, or not defined.
### Hotfix for Windows 10 version 1607
@ -149,7 +149,7 @@ When a computer displays the Secure Desktop in an unsecured area, certain user i
Enabling this policy setting allows the operating system to hide certain user information from being displayed on the Secure Desktop (after the device has been booted or when the session has been locked by using CTRL+ALT+DEL). However, user information is displayed if the **Switch user** feature is used so that the logon tiles are displayed for each logged on user.
You might also want to enable the [Interactive logon: Do not display last signed-in](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to logon.
You might also want to enable the [Interactive logon: Do not display last signed-in](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to log on.
## Related topics

2
windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
View File

@ -43,7 +43,7 @@ A malicious user might install malware that looks like the standard logon dialog
### Best practices
- It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Not configured**.
- We recommend that you set **Disable CTRL+ALT+DEL requirement for logon** to **Not configured**.
### Location

6
windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
View File

@ -22,7 +22,7 @@ ms.date: 08/27/2018
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** security policy setting.
Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** security policy setting.
## Reference
@ -36,7 +36,7 @@ If a domain controller is unavailable and a user's logon information is not cach
The system cannot log you on now because the domain *DOMAIN NAME* is not available.
The value of this policy setting indicates the number of users whose logon information the server caches locally. If the value is 10, the server caches logon information for 10 users. When an eleventh user logs on to the device, the server overwrites the oldest cached logon session.
The value of this policy setting indicates the number of users whose logon information the server caches locally. If the value is 10, the server caches logon information for 10 users. When an 11th user logs on to the device, the server overwrites the oldest cached logon session.
Users who access the server console will have their logon credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by
encrypting the information and keeping the cached credentials in the system's registries, which are spread across numerous physical locations.
@ -89,7 +89,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
The number that is assigned to this policy setting indicates the number of users whose logon information is cache locally by the servers. If the number is set to 10, the server caches logon information for 10 users. When an eleventh user logs on to the device, the server overwrites the oldest cached logon session.
The number that is assigned to this policy setting indicates the number of users whose logon information is cache locally by the servers. If the number is set to 10, the server caches logon information for 10 users. When an 11th user logs on to the device, the server overwrites the oldest cached logon session.
Users who access the server console have their logon credentials cached on that server. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to attempt to determine user passwords.

12
windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
View File

@ -1,6 +1,6 @@
---
title: Interactive logon Require smart card - security policy setting (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Require smart card security policy setting.
description: Describes the best practices, location, values, policy management, and security considerations for the Interactive logon Require smart card security policy setting.
ms.assetid: c6a8c040-cbc7-472d-8bc5-579ddf3cbd6c
ms.reviewer:
ms.author: dansimp
@ -31,7 +31,7 @@ Describes the best practices, location, values, policy management, and security
The **Interactive logon: Require smart card** policy setting requires users to log on to a device by using a smart card.
Requiring users to use long, complex passwords for authentication enhances network security, especially if the users must change their passwords regularly. This reduces the chance that a malicious user will be able to guess a user's password through a brute-force attack. Using smart cards rather than passwords for authentication dramatically increases security because, with today's technology, it is nearly impossible for a malicious user to impersonate another user. Smart cards that require personal identification numbers (PINs) provide two-factor authentication: the user who attempts to log on must possess the smart card and know its PIN. A malicious user who captures the authentication traffic between the user's device and the domain controller will find it extremely difficult to decrypt the traffic: even if they do, the next time the user logs on to the network, a new session key will be generated for encrypting traffic between the user and the domain controller.
Requiring users to use long, complex passwords for authentication enhances network security, especially if the users must change their passwords regularly. This requirement reduces the chance that a malicious user will be able to guess a user's password through a brute-force attack. Using smart cards rather than passwords for authentication dramatically increases security because, with today's technology, it is nearly impossible for a malicious user to impersonate another user. Smart cards that require personal identification numbers (PINs) provide two-factor authentication: the user who attempts to log on must possess the smart card and know its PIN. A malicious user who captures the authentication traffic between the user's device and the domain controller will find it difficult to decrypt the traffic: even if they do, the next time the user logs on to the network, a new session key will be generated for encrypting traffic between the user and the domain controller.
### Possible values
@ -41,7 +41,7 @@ Requiring users to use long, complex passwords for authentication enhances netwo
### Best practices
- Set **Interactive logon: Require smart card** to Enabled. All users will have to use smart cards to log on to the network. This means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users.
- Set **Interactive logon: Require smart card** to Enabled. All users will have to use smart cards to log on to the network. This requirement means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users.
### Location
@ -49,7 +49,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
The following table lists the actual and effective default values for this policy, by server type or Group Policy Object (GPO). Default values are also listed on the policy's property page.
| Server type or GPO | Default value |
| - | - |
@ -74,7 +74,7 @@ None.
### Group Policy
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through GPOs. If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
## Security considerations
@ -90,7 +90,7 @@ For users with access to computers that contain sensitive data, issue smart card
### Potential impact
All users of a device with this setting enabled must use smart cards to log on locally. This means that the organization must have a reliable public key infrastructure (PKI) as well as smart cards and smart card readers for these users. These requirements are significant challenges because
All users of a device with this setting enabled must use smart cards to log on locally. So the organization must have a reliable public key infrastructure (PKI) as well as smart cards and smart card readers for these users. These requirements are significant challenges because
expertise and resources are required to plan for and deploy these technologies. Active Directory Certificate Services (AD CS) can be used to implement and manage certificates. You can use automatic user and device enrollment and renewal on the client.
## Related topics

22
windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
View File

@ -1,6 +1,6 @@
---
title: Interactive logon Smart card removal behavior (Windows 10)
description: Best practices, location, values, policy management and security considerations for the security policy setting, Interactive logon Smart card removal behavior.
description: Best practices, location, values, policy management, and security considerations for the security policy setting, Interactive logon Smart card removal behavior.
ms.assetid: 61487820-9d49-4979-b15d-c7e735999460
ms.reviewer:
ms.author: dansimp
@ -22,13 +22,13 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting.
Describes the recommended practices, location, values, policy management, and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting.
## Reference
This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
If smart cards are used for authentication, the device should automatically lock itself when the card is removed—that way, if users forget to manually lock their devices when they are away from them, malicious users cannot gain access.
If smart cards are used for authentication, the device should automatically lock itself when the card is removed. So if users forget to manually lock their devices when they leave, malicious users cannot gain access.
If you select **Force Logoff** in the property sheet for this policy setting, the user is automatically logged off when the smart card is removed. Users will have to reinsert their smart cards and reenter their PINs when they return to their workstations.
@ -40,21 +40,21 @@ If you select **Force Logoff** in the property sheet for this policy setting, th
- No Action
- Lock Workstation
If you select this, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
If you use this setting, the workstation is locked when the smart card is removed. So users can leave the area, take their smart card with them, and still maintain a protected session.
- Force Logoff
If you select this, the user is automatically logged off when the smart card is removed.
If you use this setting, the user is automatically logged off when the smart card is removed.
- Disconnect if a remote Remote Desktop Services session
If you select this, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
If you use this setting, removal of the smart card disconnects the session without logging off the user. So the user can insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
- Not Defined
### Best practices
- Set **Interactive logon: Smart card removal behavior** to **Lock Workstation**. If you select **Lock Workstation** in the property sheet for this policy setting, the workstation is locked when the smart card is removed. This allows users to leave the area, take their smart card with them, and still maintain a protected session.
- Set **Interactive logon: Smart card removal behavior** to **Lock Workstation**. If you select **Lock Workstation** in the property sheet for this policy setting, the workstation is locked when the smart card is removed. So users can leave the area, take their smart card with them, and still maintain a protected session.
### Location
@ -62,7 +62,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
The following table lists the actual and effective default values for this policy, by server type or Group Policy Object (GPO). Default values are also listed on the policy's property page.
| Server type or GPO | Default value |
| - | - |
@ -79,7 +79,7 @@ This section describes features and tools that are available to help you manage
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
### Policy conflict considerations
@ -87,7 +87,7 @@ None
### Group Policy
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through GPOs. If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
## Security considerations
@ -95,7 +95,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their devices. If smart cards are used for authentication, the device should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources by using those credentials.
Users sometimes forget to lock their workstations when they're away from them, allowing the possibility for malicious users to access their devices. If smart cards are used for authentication, the device should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources by using those credentials.
### Countermeasure

16
windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
View File

@ -22,7 +22,7 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Log on as a batch job** security policy setting.
This article describes the recommended practices, location, values, policy management, and security considerations for the **Log on as a batch job** security policy setting.
## Reference
@ -48,7 +48,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use
By default, this setting is for Administrators, Backup Operators, and Performance Log Users on domain controllers and on stand-alone servers.
The following table lists the actual and effective default policy values. Default values are also listed on the policys property page.
The following table lists the actual and effective default policy values. Default values are also listed on the policy's property page.
| Server type or GPO | Default value |
| - | - |
@ -63,13 +63,13 @@ The following table lists the actual and effective default policy values. Defaul
This section describes features, tools, and guidance to help you manage this policy.
A restart of the computer is not required for this policy setting to be effective.
A restart of the computer isn't required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
### Group Policy
Task Scheduler automatically grants this right when a user schedules a task. To override this behavior use the [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) User Rights Assignment setting.
Task Scheduler automatically grants this right when a user schedules a task. To override this behavior, use the [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) User Rights Assignment setting.
Group Policy settings are applied in the following order, which will overwrite settings on the local computer at the next Group Policy update:
@ -80,7 +80,7 @@ Group Policy settings are applied in the following order, which will overwrite s
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
This section describes how an attacker might exploit a feature or its configuration. It describes how to apply the countermeasure and the possible negative consequences of countermeasure.
### Vulnerability
@ -88,13 +88,13 @@ The **Log on as a batch job** user right presents a low-risk vulnerability. For
### Countermeasure
You should allow the computer to manage this user right automatically if you want to allow scheduled tasks to run for specific user accounts. If you do not want to use the Task Scheduler in this manner, configure the **Log on as a batch job** user right for only the Local Service account.
Allow the computer to manage this user right automatically if you want to allow scheduled tasks to run for specific user accounts. If you don't want to use the Task Scheduler in this manner, configure the **Log on as a batch job** user right for only the Local Service account.
For IIS servers, you should configure this policy locally instead of through domainbased Group Policy settings so that you can ensure the local IUSR\_*&lt;ComputerName&gt;* and IWAM\_*&lt;ComputerName&gt;* accounts have this user right.
For IIS servers, configure this policy locally instead of through domainbased Group Policy settings so that you can ensure the local IUSR\_*&lt;ComputerName&gt;* and IWAM\_*&lt;ComputerName&gt;* accounts have this user right.
### Potential impact
If you configure the **Log on as a batch job** setting by using domain-based Group Policy settings, the computer cannot assign the user right to accounts that are used for scheduled jobs in the Task Scheduler. If you install optional components such as ASP.NET or IIS, you may need to assign this user right to additional accounts that are required by those components. For example, IIS requires assignment of this user right to the IIS\_WPG group and the IUSR\_*&lt;ComputerName&gt;*, ASPNET, and IWAM\_*&lt;ComputerName&gt;* accounts. If this user right is not assigned to this group and these accounts, IIS cannot run some COM objects that are necessary for proper functionality.
If you configure the **Log on as a batch job** setting by using domain-based Group Policy settings, the computer can't assign the user right to accounts that are used for scheduled jobs in the Task Scheduler. If you install optional components such as ASP.NET or IIS, you might need to assign this user right to additional accounts that those components require. For example, IIS requires assignment of this user right to the IIS\_WPG group and the IUSR\_*&lt;ComputerName&gt;*, ASPNET, and IWAM\_*&lt;ComputerName&gt;* accounts. If this user right isn't assigned to this group and these accounts, IIS can't run some COM objects that are necessary for proper functionality.
## Related topics

18
windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
View File

@ -22,7 +22,7 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Log on as a service** security policy setting.
This article describes the recommended practices, location, values, policy management, and security considerations for the **Log on as a service** security policy setting.
## Reference
@ -47,7 +47,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use
By default this setting is Network Service on domain controllers and Network Service on stand-alone servers.
The following table lists the actual and effective default policy values. Default values are also listed on the policys property page.
The following table lists the actual and effective default policy values. The policy's property page also lists default values.
| Server type or GPO | Default value |
| - | - |
@ -62,7 +62,7 @@ The following table lists the actual and effective default policy values. Defaul
This section describes features, tools, and guidance to help you manage this policy.
A restart of the computer is not required for this policy setting to be effective.
A restart of the computer isn't required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
@ -79,21 +79,21 @@ Group Policy settings are applied in the following order, which will overwrite s
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
This section describes how an attacker might exploit a feature or its configuration. It explains the countermeasure. And it addresses the possible negative consequences of the countermeasure.
### Vulnerability
The **Log on as a service** user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced by the fact that only users with administrative privileges can install and configure services. An
attacker who has already attained that level of access could configure the service to run with the Local System account.
The **Log on as a service** user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced because only users who have administrative privileges can install and configure services. An
attacker who has already reached that level of access could configure the service to run with the Local System account.
### Countermeasure
By definition, the Network Service account has the **Log on as a service** user right. This right is not granted through the Group Policy setting. You should minimize the number of other accounts that are granted this user right.
By definition, the Network Service account has the **Log on as a service** user right. This right isn't granted through the Group Policy setting. Minimize the number of other accounts that are granted this user right.
### Potential impact
On most computers, restricting the **Log on as a service** user right to the Local System, Local Service, and Network Service built-in accounts is the default configuration, and there is no negative impact. However, if you have installed optional components such as ASP.NET or IIS, you may need to
assign the **Log on as a service** user right to additional accounts that are required by those components. IIS requires that this user right be explicitly granted to the ASPNET user account.
On most computers, the **Log on as a service** user right is restricted to the Local System, Local Service, and Network Service built-in accounts by default, and there's no negative impact. But if you have optional components such as ASP.NET or IIS, you might need to
assign the user right to the additional accounts that those components require. IIS requires this user right to be explicitly granted to the ASPNET user account.
## Related topics

2
windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
View File

@ -37,7 +37,7 @@ If the value for this policy setting is too high, users might be able to access
### Best practices
- It is advisable to set **Maximum lifetime for user ticket** to 10 hours.
- We recommend that you set the **Maximum lifetime for user ticket** to 10 hours.
### Location

6
windows/security/threat-protection/security-policy-settings/minimum-password-age.md
View File

@ -32,9 +32,9 @@ The **Minimum password age** policy setting determines the period of time (in da
### Best practices
[Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend setting **Minimum password age** to 1 day.
[Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend setting **Minimum password age** to one day.
Setting the number of days to 0 allows immediate password changes, which is not recommended.
Setting the number of days to 0 allows immediate password changes. This setting is not recommended.
Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again.
For example, suppose a password is "Ra1ny day!" and the history requirement is 24.
If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to "Ra1ny day!".
@ -76,7 +76,7 @@ This section describes how an attacker might exploit a feature or its configurat
Users may have favorite passwords that they like to use because they are easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords can be compromised and if an attacker is targeting a specific individual user account, with knowledge of data about that user, reuse of old passwords can cause a security breach.
To address password reuse, you must use a combination of security settings. Using this policy setting with the [Enforce password history](enforce-password-history.md) policy setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history policy setting to ensure that users cannot reuse any of their last 12 passwords, but you do not configure the **Minimum password age** policy setting to a number that is greater than 0, users could change their password 13 times in a few minutes and reuse their original password. You must configure this policy setting to a number that is greater than 0 for the Enforce password history policy setting to be effective.
To address password reuse, you must use a combination of security settings. Using this policy setting with the [Enforce password history](enforce-password-history.md) policy setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history policy setting to ensure that users cannot reuse any of their last 12 passwords, but you do not configure the **Minimum password age** policy setting to a number that is greater than 0, users could change their password 13 times in a few minutes and reuse their original password. Configure this policy setting to a number that is greater than 0 for the Enforce password history policy setting to be effective.
### Countermeasure

22
windows/security/threat-protection/security-policy-settings/minimum-password-length.md
View File

@ -22,7 +22,7 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.
This article describes the recommended practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.
## Reference
@ -35,9 +35,9 @@ The **Minimum password length** policy setting determines the least number of ch
### Best practices
Set Minimum password length to at least a value of 8. If the number of characters is set to 0, no password is required. In most environments, an eight-character password is recommended because it is long enough to provide adequate security and still short enough for users to easily remember. A minimum password length greater than 14 is not supported at this time. This value will help provide adequate defense against a brute force attack. Adding complexity requirements will help reduce the possibility of a dictionary attack. For more info, see [Password must meet complexity requirements](password-must-meet-complexity-requirements.md).
Set Minimum password length to at least a value of 8. If the number of characters is set to 0, no password is required. In most environments, an eight-character password is recommended because it's long enough to provide adequate security and still short enough for users to easily remember. A minimum password length greater than 14 isn't supported at this time. This value will help provide adequate defense against a brute force attack. Adding complexity requirements will help reduce the possibility of a dictionary attack. For more info, see [Password must meet complexity requirements](password-must-meet-complexity-requirements.md).
Permitting short passwords reduces security because short passwords can be easily broken with tools that perform dictionary or brute force attacks against the passwords. Requiring very long passwords can result in mistyped passwords that might cause an account lockout and subsequently increase the volume of Help Desk calls.
Permitting short passwords reduces security because short passwords can be easily broken with tools that do dictionary or brute force attacks against the passwords. Requiring very long passwords can result in mistyped passwords that might cause account lockouts and might increase the volume of Help Desk calls.
In addition, requiring extremely long passwords can actually decrease the security of an organization because users might be more likely to write down their passwords to avoid forgetting them. However, if users are taught that they can use passphrases (sentences such as "I want to drink a $5 milkshake"), they should be much more likely to remember.
@ -51,12 +51,12 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
| Default domain policy| 7 characters|
| Default domain policy| Seven characters|
| Default domain controller policy | Not defined|
| Stand-alone server default settings | 0 characters|
| Domain controller effective default settings | 7 characters|
| Member server effective default settings | 7 characters|
| Effective GPO default settings on client computers | 0 characters|
| Stand-alone server default settings | Zero characters|
| Domain controller effective default settings | Seven characters|
| Member server effective default settings | Seven characters|
| Effective GPO default settings on client computers | Zero characters|
## Policy management
@ -64,7 +64,7 @@ This section describes features, tools, and guidance to help you manage this pol
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
## Security considerations
@ -78,14 +78,14 @@ Types of password attacks include dictionary attacks (which attempt to use commo
Configure the **Minimum password length** policy setting to a value of 8 or more. If the number of characters is set to 0, no password will be required.
In most environments, we recommend an eight-character password because it is long enough to provide adequate security, but not too difficult for users to easily remember. This configuration provides adequate defense against a brute force attack. Using the [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) policy setting in addition to the **Minimum password length** setting helps reduce the possibility of a dictionary attack.
In most environments, we recommend an eight-character password because it's long enough to provide adequate security, but not too difficult for users to easily remember. This configuration provides adequate defense against a brute force attack. Using the [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) policy setting in addition to the **Minimum password length** setting helps reduce the possibility of a dictionary attack.
> [!NOTE]
> Some jurisdictions have established legal requirements for password length as part of establishing security regulations.
### Potential impact
Requirements for extremely long passwords can actually decrease the security of an organization because users might leave the information in an unsecured location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of Help Desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about passphrases, which are often easier to remember and, due to the larger number of character combinations, much harder to discover.
Requirements for extremely long passwords can actually decrease the security of an organization because users might leave the information in an unsecured location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of Help Desk calls. If your organization has issues with forgotten passwords because of password length requirements, consider teaching your users about passphrases, which are often easier to remember and, because of the larger number of character combinations, much harder to discover.
## Related topics

2
windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
View File

@ -96,7 +96,7 @@ This section describes how an attacker might exploit a feature or its configurat
Anyone with the **Modify an object label** user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower integrity processes. Either of these states effectively circumvents the protection that is offered by
Windows Integrity Controls and makes your system vulnerable to attacks by malicious software.
If malicious software is set with an elevated integrity level such as Trusted Installer or System, administrator accounts do not have sufficient integrity levels to delete the program from the system. In that case, use of the **Modify an object label** right is mandated so that the object can be re-labeled. However, the re-labeling must occur by using a process that is at the same or a higher level of integrity than the object that you are attempting to re-label.
If malicious software is set with an elevated integrity level such as Trusted Installer or System, administrator accounts do not have sufficient integrity levels to delete the program from the system. In that case, use of the **Modify an object label** right is mandated so that the object can be relabeled. However, the relabeling must occur by using a process that is at the same or a higher level of integrity than the object that you are attempting to relabel.
### Countermeasure

4
windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
View File

@ -34,7 +34,7 @@ When a service connects with the device identity, signing and encryption are sup
| Setting | Windows Server 2008 and Windows Vista | At least Windows Server 2008 R2 and Windows 7 |
| - | - | - |
| Enabled | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This is the default behavior. |
| Enabled | Services running as Local System that use Negotiate will use the computer identity. This value might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This is the default behavior. |
| Disabled| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.|
|Neither|Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.|
@ -91,6 +91,6 @@ You can configure the **Network security: Allow Local System to use computer ide
If you do not configure this policy setting on Windows Server 2008 and Windows Vista, services running as Local System that use the default credentials will use the NULL session and revert to NTLM authentication for Windows operating systems earlier than Windows Vista or Windows Server 2008.
Beginning with Windows Server 2008 R2 and Windows 7, the system allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.
## Related topics
## Related articles
- [Security Options](security-options.md)

22
windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
View File

@ -22,11 +22,11 @@ ms.date: 04/19/2017
**Applies to**
- Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos** security policy setting.
Describes the best practices, location, values, and security considerations for the **Network security: Configure encryption types allowed for Kerberos** security policy setting.
## Reference
This policy setting allows you to set the encryption types that the Kerberos protocol is allowed to use. If it is not selected, the encryption type will not be allowed. This setting might affect compatibility with client computers or services and applications. Multiple selections are permitted.
This policy setting allows you to set the encryption types that the Kerberos protocol is allowed to use. If it isn't selected, the encryption type won't be allowed. This setting might affect compatibility with client computers or services and applications. Multiple selections are permitted.
For more information, see [article 977321](https://support.microsoft.com/kb/977321) in the Microsoft Knowledge Base.
@ -35,11 +35,11 @@ The following table lists and explains the allowed encryption types.
| Encryption type | Description and version support |
| - | - |
| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function<br/>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2 and later operating systems do not support DES by default. |
| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function<br/>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2 and later operating systems do not support DES by default. |
| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function<br/>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2, and later operating systems don't support DES by default. |
| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function<br/>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2, and later operating systems do not support DES by default. |
| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function<br/>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.|
| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).<br/>Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2. |
| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).<br/>Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2. |
| AES128_HMAC_SHA1| Advanced Encryption Standard in 128-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).<br/>Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. |
| AES256_HMAC_SHA1| Advanced Encryption Standard in 256-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).<br/>Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. |
| Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.|
### Possible values
@ -58,7 +58,7 @@ The encryption type options include:
### Best practices
You must analyze your environment to determine which encryption types will be supported and then select those that meet that evaluation.
Analyze your environment to determine which encryption types will be supported and then select the types that meet that evaluation.
### Location
@ -81,21 +81,21 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
Windows Server 2008 R2, Windows 7 and Windows 10, do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running
Windows Server 2008 R2, Windows 7, and Windows 10, don't support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running
Windows Server 2008 R2, Windows 7 and Windows 10. You can also disable DES for your computers running Windows Vista and Windows Server 2008.
### Countermeasure
Do not configure this policy. This will force the computers running Windows Server 2008 R2, Windows 7 and Windows 10 to use the AES or RC4 cryptographic suites.
Do not configure this policy. This will force the computers running Windows Server 2008 R2, Windows 7, and Windows 10 to use the AES or RC4 cryptographic suites.
### Potential impact
If you do not select any of the encryption types, computers running Windows Server 2008 R2, Windows 7 and Windows 10, might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol.
If you don't select any of the encryption types, computers running Windows Server 2008 R2, Windows 7 and Windows 10, might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol.
If you do select any encryption type, you will lower the effectiveness of encryption for Kerberos authentication but you will improve interoperability with computers running older versions of Windows.
Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption. Most implementations, including the MIT Kerberos protocol and the Windows Kerberos protocol, are deprecating DES encryption.
## Related topics
## Related articles
- [Security Options](security-options.md)

6
windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
View File

@ -1,6 +1,6 @@
---
title: Network security Force logoff when logon hours expire (Windows 10)
description: Best practices, location, values, policy management and security considerations for the policy setting, Network security Force logoff when logon hours expire.
description: Best practices, location, values, policy management, and security considerations for the policy setting, Network security Force logoff when logon hours expire.
ms.assetid: 64d5dde4-58e4-4217-b2c4-73bd554ec926
ms.reviewer:
ms.author: dansimp
@ -22,7 +22,7 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting.
Describes the best practices, location, values, policy management, and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting.
## Reference
@ -87,6 +87,6 @@ Enable the **Network security: Force logoff when logon hours expire** setting. T
When a user's logon time expires, SMB sessions terminate. The user cannot log on to the device until the next scheduled access time commences.
## Related topics
## Related articles
- [Security Options](security-options.md)

18
windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
View File

@ -25,12 +25,12 @@ Describes the best practices, location, values, and security considerations for
## Reference
The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Enabling this policy setting requires passwords to meet the following requirements:
The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements:
1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case sensitive.
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped.
The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is fewer than three characters long, this check is skipped.
The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Havens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "grin" or "hagens" as a substring anywhere in the password.
2. The password contains characters from three of the following categories:
@ -39,16 +39,16 @@ The **Passwords must meet complexity requirements** policy setting determines wh
- Base 10 digits (0 through 9)
- Non-alphanumeric characters (special characters):
(~!@#$%^&*_-+=`|\\(){}\[\]:;"'<>,.?/)
Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
Currency symbols such as the Euro or British Pound aren't counted as special characters for this policy setting.
- Any Unicode character that's categorized as an alphabetic character but isn't uppercase or lowercase. This group includes Unicode characters from Asian languages.
Complexity requirements are enforced when passwords are changed or created.
The rules that are included in the Windows Server password complexity requirements are part of Passfilt.dll, and they cannot be directly modified.
Enabling the default Passfilt.dll may cause some additional Help Desk calls for locked-out accounts because users might not be used to having passwords that contain characters other than those found in the alphabet. However, this policy setting is liberal enough that all users should be able to abide by the requirements with a minor learning curve.
When enabled, the default Passfilt.dll may cause some additional Help Desk calls for locked-out accounts because users aren't used to passwords that contain characters that aren't in the alphabet. But this policy setting is liberal enough that all users should get used to it.
Additional settings that can be included in a custom Passfilt.dll are the use of nonupper-row characters. Upper-row characters are those typed by pressing and holding the SHIFT key and then pressing any of the keys on the number row of the keyboard (from 1 through 9 and 0).
Additional settings that can be included in a custom Passfilt.dll are the use of nonupper-row characters. To type upper-row characters, you hold the SHIFT key and press one of any of the keys on the number row of the keyboard (from 1 through 9 and 0).
### Possible values
@ -61,9 +61,9 @@ Additional settings that can be included in a custom Passfilt.dll are the use of
> [!TIP]
> For the latest best practices, see [Password Guidance](https://www.microsoft.com/research/publication/password-guidance).
Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This makes a brute force attack difficult, but still not impossible.
Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible.
The use of ALT key character combinations can greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements can result in unhappy users and an extremely busy Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of this range can represent standard alphanumeric characters that do not add additional complexity to the password.)
The use of ALT key character combinations can greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements can result in unhappy users and an over-worked Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of that range can represent standard alphanumeric characters that do not add additional complexity to the password.)
Passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and meet complexity requirements.

8
windows/security/threat-protection/security-policy-settings/profile-single-process.md
View File

@ -26,7 +26,7 @@ Describes the best practices, location, values, policy management, and security
## Reference
This policy setting determines which users can view a sample performance of an application process. Typically, you do not need this user right to use the performance reporting tools included in the operating system. However, you do need this user right if the systems monitor components are configured to collect data through Windows Management Instrumentation (WMI).
This policy setting determines which users can view a sample performance of an application process. Typically, you don't need this user right to use the performance reporting tools included in the operating system. However, you do need this user right if the systems monitor components are configured to collect data through Windows Management Instrumentation (WMI).
Constant: SeProfileSingleProcessPrivilege
@ -38,7 +38,7 @@ Constant: SeProfileSingleProcessPrivilege
### Best practices
- This right should not be granted to individual users. It should be granted only for trusted applications that monitor other programs.
- This right shouldn't be granted to individual users. It should be granted only for trusted applications that monitor other programs.
### Location
@ -50,7 +50,7 @@ By default this setting is Administrators on domain controllers and on stand-alo
The following table lists the actual and effective default policy values. Default values are also listed on the policys property page.
| Server type or GPO | Default value |
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
| Default Domain Policy| Not defined|
| Default Domain Controller Policy | Administrators|
@ -69,7 +69,7 @@ Any change to the user rights assignment for an account becomes effective the ne
### Group Policy
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
Settings are applied in the following order through a Group Policy Object, which will overwrite settings on the local computer at the next Group Policy update:
1. Local policy settings
2. Site policy settings

6
windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
View File

@ -1,6 +1,6 @@
---
title: Recovery console Allow automatic administrative logon (Windows 10)
description: Best practices, location, values, policy management and security considerations for the policy setting, Recovery console Allow automatic administrative logon.
description: Best practices, location, values, policy management, and security considerations for the policy setting, Recovery console Allow automatic administrative logon.
ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596
ms.reviewer:
ms.author: dansimp
@ -22,13 +22,13 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting.
Describes the best practices, location, values, policy management, and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting.
## Reference
This policy setting determines whether the built-in Administrator account password must be provided before access to the device is granted. If you enable this setting, the built-in Administrator account is automatically logged on to the computer at the Recovery Console; no password is required.
The Recovery Console can be very useful when troubleshooting and repairing systems that cannot be restarted. However, enabling this policy setting so a user can automatically log on to the console is dangerous. Anyone can walk up to the server, shut it down by disconnecting the power, reboot it, select **Recovery Console** from the **Restart** menu, and then assume full control of the server.
The Recovery Console can be useful when troubleshooting and repairing systems that cannot be restarted. However, enabling this policy setting so a user can automatically log on to the console is dangerous. Anyone can walk up to the server, shut it down by disconnecting the power, reboot it, select **Recovery Console** from the **Restart** menu, and then assume full control of the server.
### Possible values

4
windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
View File

@ -28,7 +28,7 @@ Describes the best practices, location, values, and security considerations for
The **Reset account lockout counter after** policy setting determines the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0. If [Account lockout threshold](account-lockout-threshold.md) is set to a number greater than zero, this reset time must be less than or equal to the value of [Account lockout duration](account-lockout-duration.md).
A disadvantage to setting this too high is that users lock themselves out for an inconveniently long period if they exceed the account lockout threshold through logon errors. Users may make excessive Help Desk calls.
The disadvantage of a high setting is that users lock themselves out for an inconveniently long period if they exceed the account lockout threshold through logon errors. Users may make excessive Help Desk calls.
### Possible values
@ -37,7 +37,7 @@ A disadvantage to setting this too high is that users lock themselves out for an
### Best practices
You need to determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements.
Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements.
[Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockeout settings, this value is more of a guideline than a rule or best practice because there is no "one size fits all." For more information, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/).

6
windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
View File

@ -55,7 +55,7 @@ By default, this right is granted to the Administrators, Backup Operators, and S
The following table lists the actual and effective default policy values. Default values are also listed on the policys property page.
| Server type or GPO | Default value |
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
|Default Domain Policy | |
| Default Domain Controller Policy| Administrators<br/>Backup Operators<br/>Server Operators|
@ -74,7 +74,7 @@ Any change to the user rights assignment for an account becomes effective the ne
### Group Policy
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
Settings are applied in the following order through a Group Policy Object, which will overwrite settings on the local computer at the next Group Policy update:
1. Local policy settings
2. Site policy settings
@ -99,7 +99,7 @@ Ensure that only the local Administrators group is assigned the **Restore files
### Potential impact
If you remove the **Restore files and directories** user right from the Backup Operators group and other accounts, users who are not members of the local Administrators group cannot load data backups. If restoring backups is delegated to a subset of IT staff in your organization, you should verify that this change does not negatively affect the ability of your organization's personnel to do their jobs.
If you remove the **Restore files and directories** user right from the Backup Operators group and other accounts, users who aren't members of the local Administrators group can't load data backups. If restoring backups is delegated to a subset of IT staff in your organization, you should verify that this change does not negatively affect the ability of your organization's personnel to do their jobs.
## Related topics

106
windows/security/threat-protection/security-policy-settings/security-options.md
View File

@ -1,6 +1,6 @@
---
title: Security Options (Windows 10)
description: Provides an introduction to the settings under Security Options of the local security policies and links to information about each setting.
description: Introduction to the Security Options settings of the local security policies plus links to more information.
ms.assetid: 405ea253-8116-4e57-b08e-14a8dcdca92b
ms.reviewer:
manager: dansimp
@ -19,23 +19,23 @@ ms.date: 06/28/2018
**Applies to**
- Windows 10
Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting.
Provides an introduction to the **Security Options** settings for local security policies and links to more information.
The **Security Options** contain the following groupings of security policy settings that allow you to configure the behavior of the local computer. Some of these policies can be included in a Group Policy Object and distributed over your organization.
If you edit policy settings locally on a device, you will affect the settings on only that one device. If you configure the settings in a Group Policy Object (GPO), the settings apply to all devices that are subject to that GPO.
When you edit policy settings locally on a device, you only affect the settings on only that device. If you configure the settings in a Group Policy Object (GPO), the settings apply to all devices that are subject to that GPO.
For info about setting security policies, see [Configure security policy settings](how-to-configure-security-policy-settings.md).
## In this section
| Topic | Description |
| Article | Description |
| - | - |
| [Accounts: Administrator account status](accounts-administrator-account-status.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Administrator account status** security policy setting.|
| [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md) | Describes the best practices, location, values, management, and security considerations for the **Accounts: Block Microsoft accounts** security policy setting.|
| [Accounts: Guest account status](accounts-guest-account-status.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Guest account status** security policy setting.|
| [Accounts: Limit local account use of blank passwords to console logon only](accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Limit local account use of blank passwords to console logon only** security policy setting. |
| [Accounts: Rename administrator account](accounts-rename-administrator-account.md)| This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.|
| [Accounts: Rename administrator account](accounts-rename-administrator-account.md)| This security policy article for the IT professional describes the best practices, location, values, and security considerations for this policy setting.|
| [Accounts: Rename guest account](accounts-rename-guest-account.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Rename guest account** security policy setting.|
| [Audit: Audit the access of global system objects](audit-audit-the-access-of-global-system-objects.md) | Describes the best practices, location, values, and security considerations for the **Audit: Audit the access of global system objects** security policy setting.|
| [Audit: Audit the use of Backup and Restore privilege](audit-audit-the-use-of-backup-and-restore-privilege.md) | Describes the best practices, location, values, and security considerations for the **Audit: Audit the use of Backup and Restore privilege** security policy setting.|
@ -64,45 +64,45 @@ For info about setting security policies, see [Configure security policy setting
| [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md) | Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine account lockout threshold** security policy setting.|
| [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)| Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine inactivity limit** security policy setting.|
| [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) | Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Message text for users attempting to log on** security policy setting. |
| [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)| Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Message title for users attempting to log on** security policy setting. |
| [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)| Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** security policy setting. |
| [Interactive logon: Prompt user to change password before expiration](interactive-logon-prompt-user-to-change-password-before-expiration.md)| Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting. |
| [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Message title for users attempting to log on** security policy setting. |
| [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** security policy setting. |
| [Interactive logon: Prompt user to change password before expiration](interactive-logon-prompt-user-to-change-password-before-expiration.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting. |
| [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require Domain Controller authentication to unlock workstation** security policy setting. |
| [Interactive logon: Require smart card](interactive-logon-require-smart-card.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Require smart card** security policy setting.|
| [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting.|
| [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2. |
| [SMBv1 Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv1 only. |
| [Interactive logon: Require smart card](interactive-logon-require-smart-card.md) | Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require smart card** security policy setting.|
| [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md) | Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting.|
| [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2. |
| [SMBv1 Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv1 only. |
| [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting for SMBv1 only. |
| [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting. |
| [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)| Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting. |
| [Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting. |
| [Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)| Describes the best practices, location, values, management, and security considerations for the **Microsoft network server: Attempt S4U2Self to obtain claim information** security policy setting. |
| [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.|
| [SMBv1 Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv1 only.|
| [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting for SMBv1 only. |
| [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.|
| [SMBv1 Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv1 only.|
| [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting for SMBv1 only. |
| [Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Disconnect clients when logon hours expire** security policy setting. |
| [Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)| Describes the best practices, location, and values, policy management and security considerations for the **Microsoft network server: Server SPN target name validation level** security policy setting. |
| [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting.|
| [Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)| Describes the best practices, location, and values, policy management, and security considerations for the **Microsoft network server: Server SPN target name validation level** security policy setting. |
| [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting.|
| [Network access: Do not allow anonymous enumeration of SAM accounts](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)| Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts** security policy setting. |
| [Network access: Do not allow anonymous enumeration of SAM accounts and shares](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)| Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts and shares** security policy setting. |
| [Network access: Do not allow storage of passwords and credentials for network authentication](network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Do not allow storage of passwords and credentials for network authentication** security policy setting. |
| [Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonymous-users.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Let Everyone permissions apply to anonymous users** security policy setting. |
| [Network access: Named Pipes that can be accessed anonymously](network-access-named-pipes-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Named Pipes that can be accessed anonymously** security policy setting. |
| [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Remotely accessible registry paths** security policy setting.|
| [Network access: Do not allow storage of passwords and credentials for network authentication](network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Do not allow storage of passwords and credentials for network authentication** security policy setting. |
| [Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonymous-users.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Let Everyone permissions apply to anonymous users** security policy setting. |
| [Network access: Named Pipes that can be accessed anonymously](network-access-named-pipes-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Named Pipes that can be accessed anonymously** security policy setting. |
| [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Remotely accessible registry paths** security policy setting.|
| [Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)| Describes the best practices, location, values, and security considerations for the **Network access: Remotely accessible registry paths and subpaths** security policy setting. |
| [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. |
| [Network access: Restrict clients allowed to make remote calls to SAM](network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting. |
| [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting. |
| [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting. |
| [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. |
| [Network access: Restrict clients allowed to make remote calls to SAM](network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting. |
| [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting. |
| [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting. |
| [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)| Describes the location, values, policy management, and security considerations for the **Network security: Allow Local System to use computer identity for NTLM** security policy setting. |
| [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md)| Describes the best practices, location, values, and security considerations for the **Network security: Allow LocalSystem NULL session fallback** security policy setting.|
| [Network security: Allow PKU2U authentication requests to this computer to use online identities](network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)| Describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting. |
| [Network security: Configure encryption types allowed for Kerberos Win7 only](network-security-configure-encryption-types-allowed-for-kerberos.md)| Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting. |
| [Network security: Do not store LAN Manager hash value on next password change](network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Do not store LAN Manager hash value on next password change** security policy setting. |
| [Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting. |
| [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: LAN Manager authentication level** security policy setting.|
| [Network security: LDAP client signing requirements](network-security-ldap-client-signing-requirements.md) | This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system. |
| [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients** security policy setting. |
| [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** security policy setting. |
| [Network security: Configure encryption types allowed for Kerberos Win7 only](network-security-configure-encryption-types-allowed-for-kerberos.md)| Describes the best practices, location, values, and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting. |
| [Network security: Do not store LAN Manager hash value on next password change](network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network security: Do not store LAN Manager hash value on next password change** security policy setting. |
| [Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting. |
| [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network security: LAN Manager authentication level** security policy setting.|
| [Network security: LDAP client signing requirements](network-security-ldap-client-signing-requirements.md) | This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system. |
| [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients** security policy setting. |
| [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** security policy setting. |
| [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication** security policy setting. |
| [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add server exceptions in this domain** security policy setting. |
| [Network security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit incoming NTLM traffic** security policy setting. |
@ -110,28 +110,28 @@ For info about setting security policies, see [Configure security policy setting
| [Network security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Incoming NTLM traffic** security policy setting. |
| [Network security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: NTLM authentication in this domain** security policy setting. |
| [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting. |
| [Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md)| Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting. |
| [Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)| Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow floppy copy and access to all drives and folders** security policy setting. |
| [Shutdown: Allow system to be shut down without having to lg on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)| Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. |
| [Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)| Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting.|
| [System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)| Describes the best practices, location, values, policy management and security considerations for the **System cryptography: Force strong key protection for user keys stored on the computer** security policy setting. |
| [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)| This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. |
| [System objects: Require case insensitivity for non-Windows subsystems](system-objects-require-case-insensitivity-for-non-windows-subsystems.md)| Describes the best practices, location, values, policy management and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting. |
| [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md)| Describes the best practices, location, values, policy management and security considerations for the **System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)** security policy setting. |
| [System settings: Optional subsystems](system-settings-optional-subsystems.md) | Describes the best practices, location, values, policy management and security considerations for the **System settings: Optional subsystems** security policy setting.|
| [System settings: Use certificate rules on Windows executables for Software Restriction Policies](system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)| Describes the best practices, location, values, policy management and security considerations for the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** security policy setting. |
| [User Account Control: Admin Approval Mode for the Built-in Administrator account](user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Admin Approval Mode for the Built-in Administrator account** security policy setting. |
| [Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md)| Describes the best practices, location, values, policy management, and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting. |
| [Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)| Describes the best practices, location, values, policy management, and security considerations for the **Recovery console: Allow floppy copy and access to all drives and folders** security policy setting. |
| [Shutdown: Allow system to be shut down without having to lg on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)| Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. |
| [Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)| Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting.|
| [System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)| Describes the best practices, location, values, policy management, and security considerations for the **System cryptography: Force strong key protection for user keys stored on the computer** security policy setting. |
| [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)| This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for this policy setting. |
| [System objects: Require case insensitivity for non-Windows subsystems](system-objects-require-case-insensitivity-for-non-windows-subsystems.md)| Describes the best practices, location, values, policy management, and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting. |
| [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md)| Describes the best practices, location, values, policy management, and security considerations for the **System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links)** security policy setting. |
| [System settings: Optional subsystems](system-settings-optional-subsystems.md) | Describes the best practices, location, values, policy management, and security considerations for the **System settings: Optional subsystems** security policy setting.|
| [System settings: Use certificate rules on Windows executables for Software Restriction Policies](system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)| Describes the best practices, location, values, policy management, and security considerations for the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** security policy setting. |
| [User Account Control: Admin Approval Mode for the Built-in Administrator account](user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Admin Approval Mode for the Built-in Administrator account** security policy setting. |
| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)| Describes the best practices, location, values, and security considerations for the **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** security policy setting. |
| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** security policy setting. |
| [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for standard users** security policy setting. |
| [User Account Control: Detect application installations and prompt for elevation](user-account-control-detect-application-installations-and-prompt-for-elevation.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Detect application installations and prompt for elevation** security policy setting. |
| [User Account Control: Only elevate executables that are signed and validated](user-account-control-only-elevate-executables-that-are-signed-and-validated.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate executables that are signed and validated** security policy setting. |
| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** security policy setting. |
| [User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting. |
| [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Switch to the secure desktop when prompting for elevation** security policy setting. |
| [User Account Control: Virtualize file and registry write failures to per-user locations](user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Virtualize file and registry write failures to per-user locations** security policy setting. |
| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** security policy setting. |
| [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Behavior of the elevation prompt for standard users** security policy setting. |
| [User Account Control: Detect application installations and prompt for elevation](user-account-control-detect-application-installations-and-prompt-for-elevation.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Detect application installations and prompt for elevation** security policy setting. |
| [User Account Control: Only elevate executables that are signed and validated](user-account-control-only-elevate-executables-that-are-signed-and-validated.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Only elevate executables that are signed and validated** security policy setting. |
| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** security policy setting. |
| [User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting. |
| [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Switch to the secure desktop when prompting for elevation** security policy setting. |
| [User Account Control: Virtualize file and registry write failures to per-user locations](user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Virtualize file and registry write failures to per-user locations** security policy setting. |
## Related topics
## Related articles
- [Security policy settings reference](security-policy-settings-reference.md)
- [Security policy settings](security-policy-settings.md)

20
windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
View File

@ -28,9 +28,9 @@ Describes the best practices, location, values, policy management, and security
This security setting determines if a user who is logged on locally to a device can shut down Windows.
Shutting down domain controllers makes them unavailable to perform functions such as processing logon requests, processing Group Policy settings, and answering Lightweight Directory Access Protocol (LDAP) queries. Shutting down domain controllers that have been assigned operations master roles (also known as flexible single master operations or FSMO roles) can disable key domain functionality; for example, processing logon requests for new passwords, which is performed by the primary domain controller (PDC) emulator master.
Shutting down domain controllers makes them unable to do things like process logon requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. Shutting down domain controllers that have been assigned operations master roles, which are also known as flexible single master operations or FSMO roles, can disable key domain functionality. For example, processing logon requests for new passwords, which are done by the primary domain controller (PDC) emulator master.
The **Shut down the system** user right is required to enable hibernation support, to set the power management settings, and to cancela shutdown.
The **Shut down the system** user right is required to enable hibernation support, to set the power management settings, and to cancel a shutdown.
Constant: SeShutdownPrivilege
@ -42,8 +42,8 @@ Constant: SeShutdownPrivilege
### Best practices
1. Ensure that only Administrators and Backup Operators have the **Shut down the system** user right on member servers, and that only Administrators have the user right on domain controllers. Removing these default groups might limit the abilities of users who are assigned to specific administrative roles in your environment. Ensure that their delegated tasks will not be negatively affected.
2. The ability to shut down domain controllers should be limited to a very small number of trusted administrators. Even though a system shutdown requires the ability to log on to the server, you should be very careful about the accounts and groups that you allow to shut down a domain controller.
1. Ensure that only Administrators and Backup Operators have the **Shut down the system** user right on member servers. And that only Administrators have the user right on domain controllers. Removing these default groups might limit the abilities of users who are assigned to specific administrative roles in your environment. Ensure that their delegated tasks won't be negatively affected.
2. The ability to shut down domain controllers should be limited to a small number of trusted administrators. Even though a system shutdown requires the ability to log on to the server, you should be careful about the accounts and groups that you allow to shut down a domain controller.
### Location
@ -91,20 +91,20 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
The ability to shut down domain controllers should be limited to a very small number of trusted administrators. Although the **Shut down the system** user right requires the ability to log on to the server, you should be very careful about which accounts and groups you allow to shut down a domain controller.
The ability to shut down domain controllers should be limited to a very small number of trusted administrators. Although the **Shut down the system** user right requires the ability to log on to the server, you should be careful about which accounts and groups you allow to shut down a domain controller.
When a domain controller is shut down, it is no longer available to process logon requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. If you shut down domain controllers that possess operations master roles, you can disable key domain functionality, such as processing logon requests for new passwords, which is performed by the PDC master.
When a domain controller is shut down, it can't process logon requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. If you shut down domain controllers that have operations master roles, you can disable key domain functionality, such as processing logon requests for new passwords, which are performed by the PDC master.
For other server roles, especially those where non-administrators have rights to log on to the server (such as RD Session Host servers), it is critical that this user right be removed from users that do not have a legitimate reason to restart the servers.
For other server roles, especially roles where non-administrators have rights to log on to the server, such as RD Session Host servers, it's critical that this user right be removed from users who don't have a legitimate reason to restart the servers.
### Countermeasure
Ensure that only the Administrators and Backup Operators groups are assigned the **Shut down the system** user right on member servers, and ensure that only the Administrators group is assigned the user right on domain controllers.
Make sure that only the Administrators and Backup Operators groups are assigned the **Shut down the system** user right on member servers. And make sure that only the Administrators group is assigned the user right on domain controllers.
### Potential impact
The impact of removing these default groups from the **Shut down the system** user right could limit the delegated abilities of assigned roles in your environment. You should confirm that delegated activities are not adversely affected.
The impact of removing these default groups from the **Shut down the system** user right could limit the delegated abilities of assigned roles in your environment. Confirm that delegated activities aren't adversely affected.
## Related topics
## Related articles
- [User Rights Assignment](user-rights-assignment.md)

28
windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
View File

@ -1,6 +1,6 @@
---
title: Shutdown Allow system to be shut down without having to log on (Windows 10)
description: Best practices, security considerations and more for the security policy setting, Shutdown Allow system to be shut down without having to log on.
description: Best practices, security considerations, and more for the security policy setting Shutdown Allow system to be shut down without having to log on.
ms.assetid: f3964767-5377-4416-8eb3-e14d553a7315
ms.reviewer:
ms.author: dansimp
@ -22,30 +22,31 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting.
Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting.
## Reference
This policy setting determines whether a device can be shut down without having to log on to Windows. If you enable this policy setting, the **Shut Down** option is available on the logon screen in Windows. If you disable this policy setting, the **Shut Down** option is removed from the logon screen. This configuration requires that users are able to log on to the device successfully and that they have the **Shut down the system** user right before they can perform a shutdown.
This policy setting determines whether you can shut down a device without having to sign in to Windows. When you enable it, the **Shut Down** option is available on the sign-in screen in Windows. If you disable this setting, the **Shut Down** option is removed from the screen. To use the option, the user must sign in on the device successfully and have the **Shut down the system** user right.
Users who access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service
condition from a local console by restarting or shutting down the server.
Users who can access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service
condition by walking up to the local console and restarting the server, or shutting down the server and thus rendering unavailable all its applications and services.
### Possible values
- Enabled
The shut down command is available on the logon screen.
The shutdown command is available on the sign-in screen.
- Disabled
The shut down option is removed from the logon screen and users must have the **Shut down the system** user right before they can perform a shutdown.
The shut down option is removed from the sign-in screen. Users must have the **Shut down the system** user right to do a shutdown.
- Not defined
### Best practices
1. On servers, set this policy to **Disabled**. You must log on to servers to shut them down or restart them.
2. On client devices, set this policy to **Enabled** and define the list of those with the right to shut them down or restart them with the User Rights Assignment policy **Shut down the system**.
1. On servers, set this policy to **Disabled**. You must sign in to servers to shut down or restart them.
2. On client devices, set this policy to **Enabled**. Define the list of users who have the right to shut them down or restart them with the User Rights Assignment policy **Shut down the system**.
### Location
@ -78,7 +79,10 @@ For info about the User Rights Assignment policy, **Shut down the system**, see
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
This section describes:
- How an attacker might exploit a feature or its configuration.
- How to implement the countermeasure.
- Possible negative consequences of countermeasure implementation.
### Vulnerability
@ -92,8 +96,8 @@ Disable the **Shutdown: Allow system to be shut down without having to log on**
### Potential impact
You must log on to servers to shut them down or restart them.
You must sign in on servers to shut them down or restart them.
## Related topics
## Related articles
- [Security Options](security-options.md)

2
windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
View File

@ -22,7 +22,7 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting.
Describes the best practices, location, values, policy management, and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting.
## Reference

4
windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
View File

@ -1,5 +1,5 @@
---
title: System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links) (Windows 10)
title: System objects Strengthen default permissions of internal system objects (e.g., Symbolic Links) (Windows 10)
description: Best practices and more for the security policy setting, System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links).
ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6
ms.reviewer:
@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 04/19/2017
---
# System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
# System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links)
**Applies to**
- Windows 10

4
windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
View File

@ -1,6 +1,6 @@
---
title: System settings Optional subsystems (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the System settings Optional subsystems security policy setting.
description: Describes the best practices, location, values, policy management, and security considerations for the System settings Optional subsystems security policy setting.
ms.assetid: 5cb6519a-4f84-4b45-8072-e2aa8a72fb78
ms.reviewer:
ms.author: dansimp
@ -22,7 +22,7 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **System settings: Optional subsystems** security policy setting.
Describes the best practices, location, values, policy management, and security considerations for the **System settings: Optional subsystems** security policy setting.
## Reference

10
windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
View File

@ -26,17 +26,17 @@ Describes the best practices, location, values, and security considerations for
## Reference
This security setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts that are used by a standard user.
This security setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
>**Note:**  This setting does not change the behavior of the UAC elevation prompt for administrators.
**Background**
User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI does not interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI doesn't interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
Microsoft UI Automation is the current model to support accessibility requirements in the Windows operating systems. Applications that are designed to support an accessible user experience control the behavior of other Windows applications on behalf of the user. When all applications on the automation client computer and server are running as a standard user (that is, at a medium integrity level), the UIPI restrictions do not interfere with the Microsoft UI automation model.
Microsoft UI Automation is the current model to support accessibility requirements in the Windows operating systems. Applications that support an accessible user experience control the behavior of other Windows applications for the user. When all applications on the automation client computer and server are running as a standard user (that is, at a medium integrity level), the UIPI restrictions don't interfere with the Microsoft UI automation model.
However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation cannot drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess.
However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation can't drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess.
If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy
checks before starting an application with UIAccess privilege.
@ -120,7 +120,7 @@ Disable the **User Account Control: Allow UIAccess applications to prompt for el
### Potential impact
If a user requests remote assistance from an administrator and the remote assistance session is established, elevation prompts appear on the interactive user's secure desktop and the administrator's remote session is paused. To avoid pausing the remote administrators session during elevation requests, the user can select the "Allow IT Expert to respond to User Account Control prompts" check box when setting up the remote assistance session. However, selecting this check box requires that the interactive user respond to an elevation prompt on the secure desktop. If the interactive user is a standard user, the user does not have the required credentials to allow elevation.
If a user requests remote assistance from an administrator and the remote assistance session is established, elevation prompts appear on the interactive user's secure desktop and the administrator's remote session is paused. To avoid pausing the remote administrators session during elevation requests, the user can select the "Allow IT Expert to respond to User Account Control prompts" check box when setting up the remote assistance session. But selecting this check box requires the interactive user to respond to an elevation prompt on the secure desktop. If the interactive user is a standard user, the user doesn't have the required credentials to allow elevation.
## Related topics

4
windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
View File

@ -22,7 +22,7 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate executables that are signed and validated** security policy setting.
Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Only elevate executables that are signed and validated** security policy setting.
## Reference
@ -82,7 +82,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
Intellectual property, personally identifiable information, and other confidential data are normally manipulated by applications on the computer, and elevated credentials are required to access the information. Users and administrators inherently trust applications that are used with these information sources, and they provide their credentials. If one of these applications is replaced by a rogue application that appears identical to the trusted application, the confidential data could be compromised and the user's administrative credentials would also be compromised.
Intellectual property, personal information, and other confidential data are normally manipulated by applications on the computer, and elevated credentials are required to access the information. Users and administrators inherently trust applications that are used with these information sources, and they provide their credentials. If one of these applications is replaced by a rogue application that appears identical to the trusted application, the confidential data could be compromised and the user's administrative credentials would also be compromised.
### Countermeasure

23
windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
View File

@ -22,11 +22,11 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** security policy setting.
Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** security policy setting.
## Reference
This policy setting enforces the requirement that apps that request running with a UIAccess integrity level (by means of a marking of UIAccess=true in their app manifest), must reside in a secure location on the file system. Relatively secure locations are limited to the following directories:
This policy setting enforces the requirement that apps that request running with a UIAccess integrity level by marking *UIAccess=true* in their app manifest must reside in a secure location on the file system. Relatively secure locations are limited to the following directories:
- \\Program Files\\ including subdirectories
- \\Windows\\system32\\
@ -36,11 +36,11 @@ This policy setting enforces the requirement that apps that request running with
**Background**
User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI does not interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI doesn't interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
Microsoft UI Automation is the current model to support accessibility requirements in the Windows operating systems. Applications that are designed to support an accessible user experience control the behavior of other Windows applications on behalf of the user. When all applications on the automation client computer and server are running as a standard user (that is, at a medium integrity level), the UIPI restrictions do not interfere with the Microsoft UI automation model.
Microsoft UI Automation is the current model to support accessibility requirements in the Windows operating systems. Applications that are designed to support an accessible user experience control the behavior of other Windows applications for the user. When all applications on the automation client computer and server are running as a standard user (that is, at a medium integrity level), the UIPI restrictions don't interfere with the Microsoft UI automation model.
However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation cannot drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess.
However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation can't drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess.
If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy checks before starting an application with UIAccess privilege.
@ -87,7 +87,7 @@ This section describes features and tools that are available to help you manage
### Restart requirement
None. Changes to this policy become effective without a device restart when they aresaved locally or distributed through Group Policy.
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
### Group Policy
@ -95,11 +95,14 @@ All auditing capabilities are integrated in Group Policy. You can configure, dep
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
This section describes:
- How an attacker might exploit a feature or its configuration.
- How to implement the countermeasure.
- The possible negative consequences of countermeasure implementation.
### Vulnerability
UIAccess integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. When this setting is enabled, an application that has the UIAccess flag set to true in its manifest can interchange information with applications that are running at a higher privilege level, such as logon prompts and privilege elevation prompts. This ability is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms, but it is not required by most applications. A process that is started with UIAccess rights has the following abilities:
UIAccess integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. When this setting is enabled, an application that has the UIAccess flag set to true in its manifest can interchange information with applications that are running at a higher privilege level, such as logon prompts and privilege elevation prompts. This ability is required to support accessibility features such as screen readers that transmit user interfaces to alternative forms. But it's not required by most applications. A process that's started with UIAccess rights has the following abilities:
- Set the foreground window.
- Drive any application window by using the SendInput function.
@ -113,8 +116,8 @@ Enable the **User Account Control: Only elevate UIAccess applications that are i
### Potential impact
If the application that requests UIAccess meets the UIAccess setting requirements, computers running at least the Windows Vista operating system start the application with the ability to bypass most of the UIPI restrictions. If the application does not meet the security restrictions, the application is started without UIAccess rights, and it can interact only with applications at the same or lower privilege level.
If the application that requests UIAccess meets the UIAccess setting requirements, computers that run at least the Windows Vista operating system start the application with the ability to bypass most UIPI restrictions. If the application does not meet the security restrictions, the application is started without UIAccess rights, and it can interact only with applications at the same or lower privilege level.
## Related topics
## Related articles
- [Security Options](/windows/device-security/security-policy-settings/security-options)

13
windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
View File

@ -1,6 +1,6 @@
---
title: AppLocker functions (Windows 10)
description: This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
description: This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2
ms.reviewer:
ms.author: dansimp
@ -23,11 +23,11 @@ ms.date: 09/21/2017
- Windows 10
- Windows Server
This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
## Functions
The following list includes the SRP functions beginning with Windows Server 2003 and AppLocker functions beginning with Windows Server 2008 R2 and links to current documentation on MSDN:
Here are the SRP functions beginning with Windows Server 2003 and AppLocker functions beginning with Windows Server 2008 R2:
- [SaferGetPolicyInformation Function](https://go.microsoft.com/fwlink/p/?LinkId=159781)
- [SaferCreateLevel Function](https://go.microsoft.com/fwlink/p/?LinkId=159782)
@ -40,7 +40,7 @@ The following list includes the SRP functions beginning with Windows Server 200
## Security level ID
AppLocker and SRP use the security level IDs to stipulate the access requirements to files listed in policies. The following table shows those security levels supported in SRP and AppLocker.
AppLocker and SRP use the security level IDs to specify the access requirements to files listed in policies. The following table shows those security levels supported in SRP and AppLocker.
| Security level ID | SRP | AppLocker |
| - | - | - |
@ -50,9 +50,10 @@ AppLocker and SRP use the security level IDs to stipulate the access requirement
| SAFER_LEVELID_UNTRUSTED | Supported | Not supported |
| SAFER_LEVELID_DISALLOWED | Supported | Supported |
In addition, URL zone ID is not supported in AppLocker.
>[!Note]
>URL zone ID isn't supported in AppLocker.
## Related topics
## Related articles
- [AppLocker technical reference](applocker-technical-reference.md)

24
windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
View File

@ -1,6 +1,6 @@
---
title: Create a rule for packaged apps (Windows 10)
description: This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
description: This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
ms.assetid: e4ffd400-7860-47b3-9118-0e6853c3dfa0
ms.reviewer:
ms.author: dansimp
@ -23,9 +23,9 @@ ms.date: 09/21/2017
- Windows 10
- Windows Server
This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
Packaged apps, also known as Universal Windows apps, are based on an app model that ensures that all the files within an app package share the same identity. Therefore, it is possible to control the entire app using a single AppLocker rule as opposed to the non-packaged apps where each file within the app could have a unique identity. Windows does not support unsigned packaged apps which implies all packaged apps must be signed. AppLocker supports only publisher rules for packaged apps. A publisher rule for a packaged app is based on the following information:
Packaged apps, also known as Universal Windows apps, are based on an app model that ensures that all the files within an app package share the same identity. Therefore, it is possible to control the entire app using a single AppLocker rule as opposed to the non-packaged apps where each file within the app could have a unique identity. Windows does not support unsigned packaged apps, which implies all packaged apps must be signed. AppLocker supports only publisher rules for packaged apps. A publisher rule for a packaged app is based on the following information:
- Publisher of the package
- Package name
@ -40,9 +40,9 @@ You can perform this task by using the Group Policy Management Console for an Ap
**To create a packaged app rule**
1. Open the AppLocker console.
2. On the **Action** menu, or by right-clicking on **Packaged app Rules**, click **Create New Rule**.
3. On the **Before You Begin** page, click **Next**.
4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
2. On the **Action** menu, or by right-clicking on **Packaged app Rules**, select **Create New Rule**.
3. On the **Before You Begin** page, select **Next**.
4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
5. On the **Publisher** page, you can select a specific reference for the packaged app rule and set the scope for the rule. The following table describes the reference options.
<table>
<colgroup>
@ -65,8 +65,8 @@ You can perform this task by using the Group Policy Management Console for an Ap
</tr>
<tr class="even">
<td align="left"><p><b>Use a packaged app installer as a reference</b></p></td>
<td align="left"><p>If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name and package version of the installer to define the rule.</p></td>
<td align="left"><p>Your company has developed a number of internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share and choose the installer for the Payroll app as a reference to create your rule.</p></td>
<td align="left"><p>If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name, and package version of the installer to define the rule.</p></td>
<td align="left"><p>Your company has developed a number of internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share, and choose the installer for the Payroll app as a reference to create your rule.</p></td>
</tr>
</tbody>
</table>
@ -110,11 +110,11 @@ You can perform this task by using the Group Policy Management Console for an Ap
<tr class="odd">
<td align="left"><p>Applying custom values to the rule</p></td>
<td align="left"><p>Selecting the <b>Use custom values</b> check box allows you to adjust the scope fields for your particular circumstance.</p></td>
<td align="left"><p>You want to allow users to install all Microsoft.Bing* applications which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the <b>Use custom values</b> check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.</p></td>
<td align="left"><p>You want to allow users to install all Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the <b>Use custom values</b> check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.</p></td>
</tr>
</tbody>
</table>
 
6. Click **Next**.
7. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**.
8. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**.
6. Select **Next**.
7. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**.
8. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then select **Create**.