From 6e71c85ea71380a6dbaa957e55a51abf93754dbf Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 15 Feb 2018 16:53:42 -0800 Subject: [PATCH 1/7] add server 2016 server support --- ...ows-defender-advanced-threat-protection.md | 27 +++++++++++++++++- .../images/atp-verify-passive-mode.png | Bin 0 -> 33643 bytes 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 windows/security/threat-protection/windows-defender-atp/images/atp-verify-passive-mode.png diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 576adf3128..3d6c6ef939 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas localizationpriority: high -ms.date: 11/30/2017 +ms.date: 03/05/2018 --- # Configure Windows Defender ATP server endpoints @@ -79,6 +79,31 @@ Once completed, you should see onboarded servers in the portal within an hour. | winatp-gw-neu.microsoft.com | 443 | | winatp-gw-weu.microsoft.com | 443 | +## Onboard Windows Server 2016 +You’ll be able to onboard in the same method available for Windows 10 client endpoints. For more information, see [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server 2016 provides deeper insight into activities happening on the server, coverage for kernel and memory attack, and enables response actions on Windows Server endpoint as well. + +1. Install the latest Windows Server Insider build on an endpoint. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver). + +2. Configure Windows Defender ATP onboarding settings on the Server endpoint. For more information, see [Windows Defender ATP client onboarding](configure-endpoints-windows-defender-advanced-threat-protection.md). + +3. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly: + + a. Set the following registry entry: + - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` + - Name: ForceDefenderPassiveMode + - Value: 1 + + b. Run the following PowerSHell command to verify that the passive mode was configured: + ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}``` + + c. Confirm that a recent event containing the passive mode event is found: + ![Image of passive mode verification result](images/atp-verify-passive-mode.png) + +4. Run the following command to check if Windows Defender AV is installed: + ```sc query Windefend``` + + If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). + ### Offboard server endpoints To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP. diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-verify-passive-mode.png b/windows/security/threat-protection/windows-defender-atp/images/atp-verify-passive-mode.png new file mode 100644 index 0000000000000000000000000000000000000000..32907fedb66009860f97abb0c38d495dd8007422 GIT binary patch literal 33643 zcmcG$QZ&sxI5MZFJeLF59+kP4zkR&GY{^b2k_78<{J1L}X-U z?1)%vKN&7BD+UXN1qA>A04pIbtOx)AjQ4Y_0s;2(KO(~f^OHc@i)%Om0Kg6Y`vE3X z!(sn`;LZ{9~|A9o*odsN+&Fvfk%4;UXe;^p=A4u55$;i>d-r2&= z762KNkoX6O`iBeI*?Txzn3+2RRKZVh{h)CFK^;vD{+SXuTiBQYus*{>{^UUZ%Tcm3 zb#^mwGy%}D|NdtV{h!J$oQ$jueoP$!T6&vee_)7zu$qCRt%a=_Kri-D=nn?|-|{Yw zMkWA{-+|}I7MM6eW?=pow)mfB6M41 zc-xr$J$hofP_djw*20qS(50yy8B^f2wtyQRFEN!)mpdKOGgxf%APipBiAa9UFzk6r|?25~}lB`WXK~o5a%`HjOkCk>)*h=aq?-QZ^1ALb9dlfYd&@Dt3ZArye8RNDt(ra7+nVE2 zh5!}AyUkdjhumMGOx$d$hUa5JM~>n~8U%ctj>)s!4hd^$6doO&uPF?Y&96RLk0Vdf zcEv8vUmqmr`KL%{S>mGmsyk1A{f(0T*;csthKY6vW(lE zkzDbTf`Z~n=Y!|K1q?oO$adtLo?Pv2%F%r7p5=Na(heSdS%;G&yknhpKUt%+)!m02 z_TO{cC`zkI+F89J)Wus08Nt~isr8KYvy<#=`PApTM3e1C6IUjl-kTswZOr^Oeh0*# zI#{#URYOHh3V_DRx(EDzv*u;Z`OKlu)O0wB^K+-v%KmIywC>w)|J%t`E){w=@priM zQPoaU<>_<%cu{x?GzOnjy20*=zx8*LHa<_;;wNax#$4{e_{ja_8?*hoyl-nQUWw%6 zO?SVJ=b3`*Ri*T}wAQPLNw(?wm%QTLqo4D$dgYQoxNf=RIUTk-hYfFJ^U$rSLWO_b zaO3kdLA$J1q!zHx?eoS+*6x7E!3yLS_G&I({T9S80sV2lk*{R#RpXxM1?;@aa#MCZ z{Ee_Hv6TDIW$xA1W1zsA76dIG@Rq}PZwDeNeDlG?{6z?YMCed>rxoqss&6~ltEL1u zU;d8e>!UrS-XHO`#pqf}^^dE+L;+@f7Q?0&F0Y1tRMD^5sL%icBedH4T}FZg1qe? z?@NR{eOr+~_#qh(RrzxFp9v9 z)8P5KVnU<079U?;+qJ}v4myce`F4Id9GSm-V-ur*k{PrwtjTh-1fAh5r6xL zKMX)igp}c__?cOp<^3vR>6rC;&VBP@!{4~gjNdT;sfIN+&icD!eV@vwsI04&bxLoN zMMOhnb>F*<9Q&V}`5r?Bij@MN`T)W$y%MG$1&#oQH<&)`uaLv!y#`9@Wf1JjP-?T` zE%2r>r=S>HPxG1x3}|8o$;}$adX)8iI*YP7qDWc0&ih`Eot+pVr8hdX=hIF2C0GJ% zrVO9s@r1{v{0xS~(P;$FJ+-hqRv(KBiVJY$30r>l<=3}$>h0T&7`rrfJo9$=(fWoG z-{M+owk>vwqTxL~mM(Wcs|hNCf$=Bz;Ir>Ce1Rf^p-K#$!R(19CHJnkKonv90#Mht z4HWQ+hpy^1X|^Yq_<5948vW?@ws-#nNq;yVd$2n8;dsk7I&AKD6LHo1t53<*L+?EK z?>sc%mzUGGA!s-eLbH7iGCGd_F=@MnpvfveY=LpKWvF}-c3x6#^4ebi8g2!syT8)0 z-=89U>J|g0X?6H|BV$Q9>e9;=vx=<%4P=d0Z`j`5Ljj>f0mZWb!#x`?b|`nva=VEh zIZd7o)Y<1jyM(_Ks5DljXZZua?JPEL^+tP0Pt%NAqK)5kC3B$_u(ou0rF9n zDW@g<2Rwog>jDEdysi7T-18J)zq%jZ&N$Jk)<;WxFI%^b_^o_1ho80XAs{P7qp7|Y zdK%#fhfsk;2;J7rym{^TLlan0cyr5^p6B0p`I?|m4@fQyMiPP#T+U)$F1)IkSb~lu zQU!9I^l*{!NCVq>s9iT(_poj+E{-vJmckeF_fc@&-#$alu}^_ZRhgW&926^E_Qt@^ zkqH1qN(tQfrMAYk54eloh-jwqyZPzSC6+9O_7ENk#^`E6$LVUnc5i;O!_BkN2B_kr?U5znrT%_i z`q4BF9BHb53tceK3;9sJza*w0uJK5xN5dF=x~(w6V+v71=TQkfl_W`GUtR zn^|v;h1dO+1~muS>P11nsgcNlkGkG%;mvObn>h{DG*i-a`AGrH6*9gf^yBJk`nSI; zl7aMhHuwV>ujPz<6yZcdMVOu%A3_;nJ{{pIU2zPqvlwB%Pn6Iu_(z8A#F$LH_yESV z_>U*k*TqL2cXkhj?o!4+-Yc)wePzK%Kxw?5&hI-Ld!S%6f472)Y`RY6LB5JTe2L3`?Aahr8cY4zZft#=`fuJI-# zGA}u@lmkRc_^MxgWB1!5wOGQ`etX6Ng*sf48~cHZ^rd^Gxb#FDOf=lPXUJf*M+-IT znw>mklR($KWEnlSDop6QCPnT%9Wr0MeX8+&c@jhN>F!MI-|V@$J54bL0jMxLneIYt zeR@)cGTZnW8DL8|yWno7{1PO}tDvX|F_qbwXrS!ma|R@*uSSSbqJDKhlWfkN7GyszZEpwwJBj`wpX93ZnHTeOiHvR9NZL~l8^Bj)`iVjB?L1(p#3 zcBHp=-h7_mzx3BoLXZUyJ?!KnH;fWbUbo}yIAYpld!wpg?Cb~_rMZ4Blc!RCIieE3JTMjLT5IuJCR50=HoliTN!F7Cr+#TB9avW91vKGIfcn>j|K^a zt57_Hbpd6PYcRZWCadO%+%=(UgmirV>d)G=C{kzT;qeh)XAPv(^BbcVWBvsg?~@Vj zw7uVDa(u%;jo}G|-HkP!6diuB25K59*>~F(m3hnUmo?G1Jd&D~c%Jrt`7XVd5)>y8 z`m;vTj;HS4SHMGwq@Uf~HnDWmAJI3hmg=iYTDg9>8G2p-gzEej8CL_F^VIZvyKWur z@x_qaRLi&@_cv}GNF)^sxiy=nwZ>jU!Tk)e5@|erQE_XY91-(?h z$3UmTxhf*X6RCPjsPo3z=?rM)iRpb3+{5~UOZR*sx6GC}Z4UO%bYrMsOvl~p4uK0y zr(z`Dgjv0AhX%1wjkz55_s*ypti{uuar?$Cr`v0e*;3uI#+p5r6ZwW1vEI&3kH^&~ zY*wSrc8d`SJFzSjo%L>qLE-A>31dtT+If2?ODrzFR^9pXwN3Pkj#S$BrDhUhXqsco zx#r!oOt^;;(xvTpKqyvc-%WSp>%jpeT&{(fH0;g^-BXs#!0aWfZVjl%v1^0=0{UQ= zr$1-xJ76CDmEhuw82LN#nzVz)OFKiN0soRai1}enJU5a=LhU(!EauF7E88hTD#`Ml)oyF?H4tQ z5adr$(89dD!3M#xN~sS;!=sN?UDe3AUc959UB~v;Q)DUD0Wp`o>8>e0_o@juCnHg3 zC}78^AYgD-xK};A(GsPyO4SwMIaj3`5kLo}g_$1~ydU76;O&D&-YSWb$f~y&pVj3@ zxW9IC9*g+cBOTnDOxC>c>y}Q2>e#`MJ|97z@TUcZaZLLAW(rcQ06j4x777@6ADsU|olko6jgbwUF{S+oZ>>!dDYcf!;y1?L%DGs;s zFzm<3DFa$@V?K`_asQmebl&1iBJ%{il@h!AeB%3X*frwPzWcp`3d$u*V{-bjcoFpy zhMee?p;X+n2BPYBHsO=T!E>P|B&B^^a#QFf zw^5snweeS{cTmBem5reL2U5(4NkWBMvF80(6IWa6=lzkr{No_|Gf8PyG~@%j-kmuG z^R)j=^?|XeAqZ%SIQMWlvPDrYM3KlG78?EN5W^j%ylt^$KUuS0PzMkigW0AH4{H%< ze0NR9#p>&d?ZQ;c!BPKc{?3LZ+SS=mS#teJYZe3ba)_<=wA$b_vfmX<>64hF)D;%m zGcd9IeX1(cJ{Sij0t>&?5Lh><%Q|Vgc74Jhi zPvB#ZcldTNm@<5Lk?H{0LaaS5II}Z2->w1=&lavT0L$fo4`8GOw+(3vD2PT)O|sz= zS;ew^My>W}z@{wBqTo#WFPLllP9E)P>9dxO=usW$)hiP7wk3NfF*|R z<99^xP1&z09S$+iE!r0_Ths9;{R-CUgNG1Qn*Nwzry@?GTi&+7O-%Xg48)qBS>)sU z08CB_ih`@%cI1j7AA&r@w)mIZwGbrWF`eTqa}04VyjgK+NQnP05k!@?4hfe4AKu%C z#(YzpJ$as{sLlY2j+jOz=!#IVJx>$jIIw59;=V3`+pIN*`27o`cW!z{JqKEXAj5v` zQa(l%pc__y2Wzfe*w+mF<*Wgm-N2(!;$?{5j?ID8FeJg>1-iab%PB&>0z4hlUwuz~ z@3*M3%LS76gk_I53pYx?{^-{$_b=DJs7NN36sR5)8;UXgO7oZ?&+Ldd9tn3y#}5b3UU=j7-I?=-BJ)(Y0?ys{QSi1Ir2J<~*49={DiwsIYNcN}G!O32vly#lB~bcYZlDm{wXn>9;~LpB6k z3|d8-=ByQ~Ph)ZJZS-(!AI>87-E>@9t5keE@rCn*J9>}dOX7JiJaKKPcrvQHhL|$x z?*?KvRS{qXOy^d=9RlyX*-~Aw^rZk|@xmhdXfALN>5G{>`n4>8=!ye}?TU+{B2dpc zgG_IqAY|?JjEYuHYK^QFinSPU(6@Eg#KI`XTKcP7Bc-xCUo19%3Jd|C)9was&3F+e8P>Vrblx^XuTT5gu z{OkwR>H%8ZV2Pfe((zVWJ|^V@+kB}z1s)VXeehH9xn z6z<|~hP8|0CyJ9Kd{1lV_6jLzAKNI%|FQBjsThpjIgN#{=lQzl8g_-D*x&kLa%_ax zbB}J<`-yp;yt{~sqc3QnK0a<$H|Sf}T(V@%;w42OkSjRj!hXZ?^f;i_iX^81+J{jF z^66W6vWs4B56?6Hegvo-i9O8cjgfN9m^2MyMYlS=zRjGZm?FSx@=Euw9GUH?f}|J< z0QchbrU~stLnsqel;kSsGXIVs*rmzgxt)`$ro5|`}@fwwgCBu^MT^+Q( zyCg*QBUe#SV7I0=5yL(g!NhLd?aciwQMVtmf?}oC56O!wIFf2G5aV& zDI!!4qB!>Kn)7Ca8(68EAGHTnNEIPfI*z2GtaQ6VutcLTp-7R8XFYD?BB`u7uPyLm zV$yogf<2K$8VJbo?!*5kgEw+ME2GXuP(qYA}W-xb5}PugQrWkI+8bGeMA zzdtSxJLj*lJG*7|uc4E5QrTfkPtCzqJFb=r&>rm`2`#^=_^_AL)D{Yby*ZBV_E{r- ziRFtt12tbwAFl|2FJ}B~)YxKb-r^yzuMV3JB_^El1D!tB@UN#?|K9INl~F}-#xY#8 zJ?ORM5H5~SsBGAN6GZHJ`iUIm^lox*+DY-v&>5ypYJpEa{;GkP!#K#=aIls`q>;Jgmp?j*mq}tvM9@7o) z2=N=}uyZLmQgKfHMk2Ow}QRk6&?DUOYejxbam6cxv1Wd|-&{0%|~ z?%AT=C`AB)0M0LyucnT5<{$6rd5NzMrH{)@7SPnBD#zqJSk3xH0K2v!cm3|N6n!y- zP3`R1I42<`VX)o8->_vm0!9(QwlDKHr#@V7d(M@!kn3y;Fq3Ng1Iq}Jfkt>j! zL4FbdIo8;N#`0c^=1;!h*=xFy`S&>pqRy@Aplt2ozn7&PDOobAnqZu&%bMsRbXTJz< z1CzU!#9N4ln-w8i?MMgGv|g~wlO;>|>!=(dNlUEL(_r7k(8*IOA^K5LZgO}nNwC!= zpsXkBxol8lvm*m`C_ht{+^Qs$gvNXOtgjrvz;5C{vw@ut!t9oNo`9U}+?iPiEOSm! z3|St=2PTO*Dbb6cb)qe%3F*5Dxi+W=X&+@c*wSfw^?p!77rZha)&w z?=0|au;jvkV!mt|oT?8C(vH=j98e7s%uu60Ps2Z=;tgTXqCeg-#R(Eq{c*ALdqWxS zN@{S=fC@{m;?I?AsB3*y+86Krlh|Bs;B|3|L#!8=zU@4;mm<@t*pq&mG=#Lf`zsE{ikUj`iY2KcT~ac1aC;h9v9ZpuMg~|QnSpiDEDjj1SLiKKhd`K z_cXpb`#$M`jTLz~+)xm6Ze?(T?n~* zdF97T^{*Ob@xDVKKkJa}?s-gQb551BTP5V^{H6oQmEG8$p9=ZY!{l|V@bF=%(|CtV zr$hQ9z$mi)(_$cRZ;1%`bhX2sdiaPv`4&`oo}9G9D`n$T8x*`}Pyi!-{mhG1kSYSd zTxP#Rfr<7HtZy|_Lxoe9)xr|Xtp*SL-6GbeKk24QsuA(GuE@D$_~>B>gAl?EmjaVT zT0<*oKtYnPPyIm%LcS$!Z?m?O3LdCBgqYmgdzeS{bA8FZ!Bb3B7J zG5RyQMWU>(med@^%Rfufd`Ltf2!o8q$qj#n>bFEO%r;5T-!6#-iX?~nqDd4>t}`-e zDnk!uvny_Jn}&1j*pG$3?=#;@FCw`xdO%B!)D9tTo>tf$S>IX*itoY(Q~(bSh8GU) z7}!PR;9DasQELj^Z41Px^Hvp_|Hx-DY0_i{K>ltvvoEi~L^=?JFqt#4vIw{`6*Ir= z$H5KPuWKVqo?}sRtN3Ui?jqJ6Qp!+I=>hU7BIHp(f+FCi{m7fwf)M%LK%A%OMJK z4CW%^A>jrfC)8jVU%2C z5wCD)gjzPGP9|dI`<%L<8jIG_uk$;EquP55>7+-qvIsZkqnMRp3av-o4h@o7DydW0Vv0W zQ805Lh9H+B{A^fU$2uT@gq9t2n-dTD9E%~cWc}rpSzv?a!~G*lC?Rx4{l?;OaceIqD37oTRaT&W0(MNuMA}_& zz$(t|rlhFQ+=vbGuj$wZRAiB^=%uuO-gbNf+!bDy>dJzxnVz$}>Q=3gQ=*twzH@5o zU)0O~U6OB6>=(X&=1UAiE_;0F`8&dNPM%U>nF#eqA*#nQ;9$%W#mwzgnUN-I$&&K9 znq%yjnEOhX_I;IM5+%RW;0A98EWegzu*?44Zi>ZPX5~HuE3Miq%5ENKULTZ*U zx~4D0;5H}zlX`jBWlEYk{%aW)B{Ae^ivFj`0f6Eewi-4!EYbsWC|MzgRZ)zS_FuEg z$|Cw0HP3&45)N2-9ex~-NybalUlRbpE@-?Dn|mG>!B+XY8qy$i?THs($o~ z;0#$OB1|aC%eI&iCHa`8D@>=%AwF4S^W3I4!ePLn26^UI?gK6CTHw`&OL0$wAQdK0 zVj_zSWB36-E0Kh8acOb=#|+j(uMr`IKh(y`@-j!2S<8wuk{e~_B?X<5wL5AlYkFTJ(rd2RBPtBqEADl5mmB`hEL8U3yRzm|PaR-6p-gHYsVm^E zQ&fb{ouPfNwL-6VZ>PV`Tf1(&f+Au!mfw0O*V=|)71X=ka;OMZMOh_)_a zcq3E3HFy6{EI?jaS*i$*t@0&Orfwy@j#CbWoL^5y)C5X`9KKOzS>L(;F9Uu_iJdZ) zQpe;9cXj2KGRFt8ekd~6iz)ufOL#Su4U?e0YL2-MAK31@u+f_ckORYePYb$i(f5WPQa#?}; zr}nlsM2@P{qO6YJ%x7o?KD9n0dVMLrA+4<(NEZgmHCRHp&vs$rUv3Cb+H-qPPCV&* z&-bXwVIkG!4zJg$lK+?{9OaX;r-nDMWLeMAIqAB0s_GXd0K==D$tKsr`b0(5zeOyDWF`ux+fl#f=^W&_WbrFMEVAPOy%TQMDnMT zl(MF&C!A79?H=>nwA2y{5LU~8jh<0TuzMx9U?53mto!y-oJPV#F2t!P68pC_>>Nuw zU?Nw8{LD!LmjVc(?l1HO$GL>5sWLjE$YNs*wq6}qr5)#;0=9E5C5heeXHbGItFI0A z`ud&0J^KW8pPu?#g0`J;Tfzg=QR5rapU;JrG*}HBQ)kcGYSrWA({hH=C-+-hM(ucR z9v=46K~)`bgFWDGKf7$o4yOvKp#EHWhFr^`l%U6D-a$`OVCC5MD4+&=_3%xkZ}jsV zt20*MS3`Y@szB6wQD0xvNTc^+g{Z(0u2|FE-98DKHIf!H$WehG!Vmc_q?xfJue0T46rjAy6oPM?KCSjY@F>c9j~7M+tj;6Lwa|T6poHuzumw;nV=j=7_TR#o~WPflSSu^s)tz9SY%dv ztM_0bR;U_hq5+dN&~&e`IrzmK`?~4y@bKK+-0YNlydI#e9x?DgSx99gHJ7g*N|fNy zOSi=5eo;?bl66Y1lsu!qb0#}YPTk{^LS8-+m8SHF^d> zj)v-Y3@dT;!T}8w3u@3WRt<=#GSM)zd>m>EGo;bEYz|aV81fte#2}FO{c1oAjyq-v z&Rofyk^%w%(C;wy{!Ucw0vlr;X(Hn35FwXjgC|%bjw+-t)6|-f9HGCbB#sM$I@aGG+Q95HG*|w`8BUaIg$k93=A9Xp25n5EHmJ8u)X25 z&Uet~m6k7Jg9t}D>Y{*{$4FyMoHLsy?k}N;I9O4&r(Bw9cksIe?3C$ERh@=C zw|ArzJPEymJ&3P#Jr3K1FyvbXDv;1Oj_)!abqT&~@zSBX2kdzMyFp;!dp1A}_Uet| zoT+e7wl8oin8Phg(&aQa_%nuA2ey3 zd^x!(l9raP_1kG(5LGxb_VKaDiJn~kG-i-JkTE1Aqww@C+bd4Y;%z5)*dh?}DlM`5 zOPiucufj}KuFfs7S|5TCaIizu7ZtVh@j`#oNgS2ce1aKnpkoOqrh`gaZ4$GjHAV4U zCvC9h@PP&jA@1xK(OYa9Kp;RFvfM*eNm*u~;oW?o8|EZrCI&T6_A}Cdhn)p^qAs=k zerN?@y8L0t5M;&03HWT+Pe3(_28-jo!fgy8?iC_!661tDWg*wy!4Z@xJIz06=h>1g z5Ra~RnfmZHPg95$lVs6Qw<6eIeIhkd@0D*4h5~X-Wx0L7>Xzsy5aC zkLxD!%kJ;pFIhwW;lKX(Jn)_Q|G?A#-zJu{nj9L2ELj*K0ss_HmBkt5L#melEQA)M z?jQ~HPh^7%^3#=*q-*bYH+FvakylO*4HdoT_1wxal;B5H0sQ< z{j6sxt#w6y8b>V#Y6!~TcW!qP5n(PbBZWo)lPyIqlt*6-(x?KYi$XckwSq5xdbYfFc^d5G2!0dYU68sNC(*9|Ovx2?tq!40J1 zoCgX2m2^)73@^UVsnm;mckhKXH5&jNbFmk+A@sQU8%H3TPUl1O1_>IEO`qYd{h`Gx zq94hT@)1}@gJ8V=oLre8Jp0T_D1rply%H|GqBZQ zL0Q@T@~7nTbvqiV{mo@Z**YgdH=cg0`>STCi1yvA-RI+u+15IGO+gFy;|`i>dTKkQ z9$v*{dnuiqT#q>DLpB+lc~3Q>jgf$%0c<;ZdLCLdn)v6tx!CtQHD!~L+z*C2Xa(DB zU~JdjLsCvu+C#G5-i-Qa$QG}?{ZFKOCmU2d=rPz|aj8u?v6}6}dhqbe7#lB}(OHva zGdr*B$_Q0{!~oxBzDMSYeWVgGmwGp6JI5#Y`x4KnfmuPUo!kA$J$ZdJ%pj=Ptn}nQ zOF|15A8bm^Bj1+|HQ1s=rD$CO$dRCtV)Z(j(d%**kMt?&Y>}mB!iYO~QU&;5X`EsY z=M}Dm{WIa2-sJwc{H8jBbl>?o$^k5Bd|ILAQZTV{Ys0751;71?{qVo9PNHK+oIWyA zj&<*qliYnhI1=Q?yP`Ic#Fku^?)(zH*<#N{q^3hQo~NLuKIhN0*+I}tH)O;|V%2^5 z&iSv{)gXBs)jt&NmV}=SE&zdraP()H{fprJQV9J}v~O#GrAm)A85s?Z2i! znl6+%qf`H0$1WRnJ|mEQr$^Xo8w<2FUc6uFbg$@q4YjL{#80T>i%D9dwLJ;Z`0}B+ zTu^(vbe1JEWKm=8>7`20qBq_dfR}=kl9AD+5N|3$pV0Ij$Y#0Rf?YRbF z?!g!V_iF_jxW^`A@*M>qgyjupWlw%VzQ=qrgZGr?73%H+>I<#g;EaQHMu=_xcwZWpL8; zqY$=US=+JZ&A&drL^-{q|$toer`(cCOMc zTxg6AeSI+zj(Q`kwZ|(56-B8u3~p$R(k^d0c0`QrJt@HsDcXTa zd`5z_=uz#)+t;Nq{7br!gj&w|IGMl3H2lE|uU_4rI1?vkInL{@%2l;f^Z=?Kcqwql zK)6GjiXG4CczPmRoUab^sO0KUyb|g%q2JK?hR-)OOs-oLb+DP>$%>;h4iUUpIQc2+ zKyOZ_1X~-*$+x)Gr&WPW5JvmB-IsrieKO*9DEF4m)XJ{hY+-(Y zppfPtTiI&MQ1xzo=r)thgswP0KV0F<5Sg%QOF&sBzXMSuo36CZ6Pqh2SAF^c$BIyX zfxf<=pqKsf<~$K(Ii`C#r!zy$bP>L%ME?6z_Qw+sIU#QvD1_e4Tx)}m^R82MF`<0Q zOKvs-9({P~)N9cZ3D-B-=1GguxM}cN9*Q)AZ?aCd0{)!HQf4DBqSq|LC2B23mFwwL z{x0zj0Ptq1!E=nM0c*VksqB=?GBn(f+?L=oo6KD|q8w!MeF-|b$kOVA7Sfja{jVn$ zD~x~=VMnTWAO}mO*?wC*HG#8cFdLPFEaPo67UH^eU_` zid?tXtn}Iq(P}CK5U@~$gMI(hA;f7_X7d{6e>DLG_sMxa4>7g5N$WhWvVx)$~S2gNy2lD@gZKY*!xzXpFRR1Az@HZ z5WA` zK2OEeUkubLRJ1p?^MD>JZ#qkMu1&fh%y+gQG9&DhdxeHd6;=9yd~WQen%&>`4$leL ziAyIyP5Op4Xv~*V@n|g(i~z$5F3;(2)WYW09;lb&k%TV?P*i{OXeSlkc`Ja>O1-#B3^$E=n!qCy1J6L}?{ScbX9>7pv8IxBn0 zG}dUK|Ib317JLubWO<_pCb!&SJ0AE*E>U$JWlQtlUV438?pRVo8NQ*hr!I@b%U>JH zrF7VH?|PRK8r75BPA7=e?okM^mIh{ae#l`+-_``{}MKr)W5Uw1cC=J4^{oSMIHqDsz=2$fBW@Qtj>iM~ZlPDd?6u3jRlD0OUQDLz{Rm zhwnMM)Z~h~p<#sr=^HIt30i9+Do#hY$;xr!t7D($ldNY_-i|$%b8D&_8#V<>p50rV zYA&Afh?tD|B0)$WwJej}#Qw&79WA|gSNOc3fC38C9^2hOVqcJ2xq!4ZaYj@6pg;?l zg%kKpjR^6 ziZu}wAo-n#ix&3^6%a&~!g3@RaCjJP>4X9Ru%}L;j}K=lKHj>_*bJ5uhiLN(<;%&H zMTeh-`{zXu#9|aD2>>m1ba5lQ;t^guLLS9|?OR$t??5>UqDV4XmxuG7uRO}A-2RLj zZ@DgUNQs@z$jUt;JX?i;wY3Y;fbDTHWhUogXR{AWBj}?t&TT*N`4MAOdVK;drT!$3 zoaq{9rw=f}Il;JSGkK>ZjLX`?LHB!)f!J7~swCaH=<{wQDL>=x<8muKQPRzc*6ID3 z^HaXOqxU9r37U)L5E8OhVg~S$1K(`S(7}?D|DX%9$Ntk_XoOBK7rn0Hf0SwN^5 zhW)V=n3q?W)l`@QsF=;|nSdfg?+8GO1Do{T_2*U_Cn@?j-}YE39YH{z*^3{cF$783@r?~e z9tFotmATjtBblgDp-Y!~t@BAN{3~vvKXskiVI6CD+mGH&8Iqi*f*6>*X5U$%gDPyp zU9}reK>3flp^=d}n=`d*rN64XypF=CCTkS>b%nIMFiHI6+g-n#Sfn#+)hSNq7Yi*v zFTne-qt^VJa(I>CvmCnvQzVqT2iiG$4FN?FQvRe};nA3n_KH(LB0xl6kAO1WjBrS)F(^xn)nu7;LN1Y8A-I=NY+V3|N| z$E$o_bQQ{x`A^ku^MB5dKjLki`2CgYY(IXNws()t*W7ykv$2?FGdj}sW_~~~~fl+#G0r?8atTSq3tlPfBQPOAj(d!oMHHMIL~*ZR`c7?vXod7jq%WY?2aTWM-L z8+-5`^)e<@YSG22*>5b?8);}ZYxffy3sy}b0Z2U|7L9(pC=qCAODs#>m?F+DsWw>fTfbT5 z#FUZ?+*+N!Fea@wwSAEno8aYSxP;3IFWcp7j&lVmC?aGPHyrk2f@bpEkOSz)U6M`* zjunpm)yi>k_qwMeXI7|c4p`n*V&W-qvK9hce5HuK`Yjr)divhK&!oV==U#CRjO~t= z8U1E1i@KkruULZ`vslRD{_Z60bbXd@@QT_QBdbj) zTpewx7+i{QMNK&A)fm1h%%Glkop5Yk^2im#w-^vMBZB3M+Sz}8n<<|)`I{m$kG5e8 zW7wBadh#PZ+3oBVa8{`|CoHUM?lb}F0?6VlIbCe@B;r2JAGG4vqFEIGC?k9ca-~xy zhyFBCbt%qRJn_dB04RCf^!A?1v>T{xN&Yq?4K2NrIgN<)-rPAOnjyPd${EoUPVX!B z_N3)rxm0izpm8|@ie2r>@UZ=%z~1)@1kEqaB^Jv^C?F+?mt_5n*jMf_-A$%>OdzD)CM_}{$DndB^ zy3$|1w05F;c^=Df3?ngP%3p;>-;fo&x2QcL-s2rgq4F)dK(N@&hc)!7Gd*f5Zb}#w zl;aruOc|+5e9|)4^JT-2eh<~h#NTWUTQ?z`YQ zSZs;B4(MY%$->YTng`RC>kSSCW48FRukq~@Qsetm#)MAzIU?HjJr&v(=R4mG z@DtSh25(GqHaw?!c@~(uHbGe2S9NeihQ+)+`Qc+8MW&{6DX-{3RjkW&7P=_CH8yI)}ijnik$|aK} z;&Eq?V}nlK6$^$ev1|;*-LQ zlbfQ)9$MeFCHwQrU>a2=WV*rlMEeo~j>mkvAH^-tvdc`k1cu0K^O5KHc|;~mefIJF>AmZEd0gtM>zMOB>-e7Y*oiN+c23vi zEdh-KE#p^liJ;4AclKo|d03o1GWg`{C>3h3Sjo-NT_VQ0wDI9+1&QuU^tLN}UZ^P~ zwU~<7Ds%FYQ8Qt=qr?n(KITdm>J(B*)?4S(p%#p9Ggx!#62tjB>4hWaWJK{Fak=RI zowH?g{#~slzcnzqDB}%|p{N}EnS*3Pn5%EJbghv_%l*`e``X@#oaA`BY_s{jc<(I6 zB$4|wLzeW`E*~DdtYrD1U!X;o-l+ywi8r>7jMSpwh+f{n9qcfNtc z`v)JX<~LU4o-ygtj{(`j^U+o8=g@vGuvG#4gw9-kmD>njN+e zHd=@-IYEtjs1+7~$=u1gufJDOuX;~|AF^DNmG^m%*<2s3cGI7L)m%gD>&Xr z0)BJBaU{*o$x<-A-i~l`K8q0fT?$Xn<|+t%Q#bZ#4$6JybUr%5LM7HZ68{Aq*<%)O z$mw68h|ztZ;(9M2zg%N1;e7_geS_VbR6rHic}AmFo$4QR154z3%||J6d>L`M*x3Jj zBiFM}9qJ4>c{&1aq@`dq<)rL3QviKA76wU+;cP;SFBiQ#6O00uGFoZ)m&9_L5bfeS zE5ES&;2sKVYU*@oV(hV;!3QCmiZjv29V*wBOWJfEvg+bw`f=b~qs1JzZMw=>eSm2+ zN)oW;d1|*~K$pW6PjdR<`sE>-&-wBV?Qtr`?DdM#`Sf^d6|>9z(hXl1gC*Tf(0h!d zH3XJl_L%ll%bT$Qu*PC}rQIFE$PU)HFUvE{IQ;>4AJbDZnh3;_z~`Amv^spaevCx5 zQz`gGNo%#sgrTb#)ce`Q*-nHp##e>A_NLL;2d3P`Ln)jUu-YvOYgTuY0wvKLrQQbh-FGn`e zRJg|82b^ub{g*sxt)yjc@}ma*C4;%Y@H>+^czHd*u21GVO$S$)Qp*yh4i;QV{=j+! zuM43U^GQgr|BI+^49_HJ+6^|gZEkGaHa50x+qP{d8{4*Rn@_mW$@jkJJLli@T+`Lv z(>2{)HFe*GpP~pHGSB_zK^g>YvrDFItJ&Mhk+w?6QnARmv#;cBV(Au2!rPGqBT|YX5#1U3^w9TI(Ng-K&_=J`p~5HWho(G~h8g zS+a;`XOEw-jLOWDUZ~)`vYE>Q!w1@T_U++`g3lqWR5zkpJ5!JWcivA>8J9Ialvi(C zsp6Vlbs_T5BdZYP$(8M7&chO~!zOvc`XG zBiH;9sN>?Jfb@=dtKx?b%;EVqm;a6fi~R@TXE(nQGM$Penluk~+;_eyC=B@Gf-t?^ zD^+&6=w8bvbWVnW?hgWCs>L(?q{7gBv%%dSjPev;%(8yTn#k3`v%ozNjh71|R}JYj z<*Z4_E#9A2NY(5mIMFHrB>Y%(!h_I1q{qdj~)jqyZ^P4kEp6e$Z`vpL{~#rJW0I;IH51MrDq(OLq{%daK6%b<0&bdLMS z^H&hS2^RMq+{W79Rkhr@qi^nw-_iUIc0 zokUB^+Sx&yeHA#c!|7NX*076cP+1l8vn`uH+?RpPIlh`e&j}%D&wT2III;xtS2Op* zd9z^G$`qRFr**@EQic;bK1wrXS4Y5`-mrqx4E^JkC8H%HX3ycEG8HOIAM0~XEV1}v zqF`Q+q!xxhc(8}A=_O!sji;94+EQI8&-gFpdsY}TUpoqkr%S2Q46XLIHDskW@B+Kj z=bdeAN!Ks}9=Gx_y%jS>HZQBWP4gN@vBTXv397{PIlC)|P1K0&U+>fafbUUXUq(~y zQuOLSuc8%gqw96rwdQNdM(mq49G?ojqZnpSxf?#A$My%F@6Y!pY9<8p!>+J!VCgp- zcO2cjdiSHMrB^Ur%&okee$Dc=7?h+~N6riMJ?W`{nCd^O0!3gb9xd%9*LG#ICQG7F z3ZQOl?@x>>tYQmxQ&CH4{;s<2v3S$syVb{M{+TSQlI1Eb_R_?!&AzZ6_2_i&51U?i zoStnzEA?t$6)cm%egT{{!nIHyv>eBt(4woVM#t|^6f?VpB151=Ad0*PmK(7zBJePpB{KR>u!y}Qq zwO3OF>uQd2lY0;F(iA47#5qojitV2chc*{gVs~V2FqvsWSFDQ>MuASQB&Bae z-`paUxiB=ryNbAQr>^VnFFnx*QP!yyOe`IoE2X7^>JFHUtMNruh@A%LgztW_?QTzq zr+7r5IXRW{`tp22u-A9-Z*s>2E-=+<{){I0!j=0tg6@9DO9p|VoNrA$fKQHPkCp?F zh06V5pJ}-Qap&UrjP!~su+1_2d%vJ>>0ToSK?f|}Ff8%o{KC*}{HWR48(s(H*WxvU z@EdmzG{P2u8#w?^LRWfUsVfEeFEDi`L!E;B|JeS1=qT7y*6?o(F}-Luc{4xMN+#~F zsK!?BhVI_!nI9@@p8q{s#s%=|#pKTLsp9D3Fo&~Y3n&&WlquVrf)UU?4A)Ip!D20j zb#zdkjGQFmD53*v^wa1WPj?bDY#M>@M&nEUxN(!ekKlGbOu-xRMwtuTYQnC5rHrId zfl@H3ePtNkw~n*DFZN`FZr?Le$ila+VT36g9V&#Fepbz08O%clI4!sEC^y#}J1t4^ z`I?b4n~5+KYap<+JaZfb3g^f@5+E7WpI*_mDSSFT+ggbXX5y7sfCa;;ll)3o>_X-ND2skI#Jcsnk{lbrfNbkZxfdUB z|30-%RtM%NRJKsy<~Y=(*-y48JG-YeW&Sa>mM$$7x#Hp6e}xvTtQRU78^3fo`<2ke z`!D|ZU%mK+cN6GQ)Nln2Kw4{c4#EqFZo|?rmu+>>^tKDhX?{`Xzj! zHTxrl#n(oEE#TnTp-kYR1wvx4E)|GiCHQD5GzOx~u!$L~q^9K?d0auaHW=^0)=IUk zQGy>WS(9?(s3bbKay>xHQZ_&t833C~$?20(O(x41?7)@`i6YB6koJRqp9(`QqpjA{ z2e^<}D4M|6I}k26w1FVpF6V3v1G3dsv$Y=-rTsc2zrqv?Tr0*Kf0#3Dn;F#kr($xL z)4z7yetj{7%YCJ_dot&(6*o^2cqFh!LNzB(Pdh;!m72FFfZ22bi<0jW23d>f#fKf7 zXbWLd3SW+yCa-N8=WGvFNYO9U92=@gq5pt`Ik+$W(x1!s$IJJ8?T`AH6a`4pZYuSb zR+0JOU`)J$7fGrV5EBgMnA1@-87(l=QU0;c1i+C`3d%KuJJQ*+sYTg{*kHFSEMer_ z!P*IzRq`Wa)D=qE<8h?Pwy?zpUCKM&(KK0Vq;(Z%aYSDH@~rGph&A#AAG zPTm>V1dt4Md!e^tgfdr#;JnbV)5pgrPYsi(OJ;B+MhV6B`QN+ptgn+7GX08-3$|ub z{0upbfTY~mcX$|_X7=Z{WJPY3l$Shpm9yHRQsN3WEbUV;MyIU^Xw;TiN=pA5eU8<8 zSUP52;#?R<8lQA5Y7NiQj0V|^jt#H>5Y-$x!=-Xqf~71`iz(%w$`n61564|^#h#w| zm5MphY96`SaJbcmE)NW>&vtl)A@D}mOnb}Ph=2QFAi;&BvXylJfRP<*z)IR@bjqw2 zr(*#yWToxdURT(^!ru4h3A5NpNKLua;=3Ij({G~F(xvA21sC!RajaVpo$16}Y`@?8 zro#{#x!R3)E|wY877GF9l5dHCcq$cd-;iKq-*SC<7tHr+g_Illm3OWEFHtTVIf#L& zXj#rikJ1L~s|_Fk1CQgRV8KX~PzMwGiPd9F1+y>2h3=OV%^3R9-p-k;^G z&9%cKJJqAy47jR_n_J>N_(|0~f8*&;14edoJGyD4ApAG@QN6^ymJ)%k9H>sClMD1I z*~k)L#^j|3Q5D4K?S#ZeFzjX#Emc$7NxAnimm)iM+O?AeixdlD`37#Zma*_P)(_?+ zfs|}6M8NII0pybR8Y(?5QN__Muy(3joxk3O55-D=&88t-6TaCk8w{24wHM{RLc4T z^0W|8{e2Egf4yH3QBY^$QY!I0NJO>w{nK-X<pubnbh^@TpU`|BmNn?%V7{fqETwajij0zw{+LvYog&fe-HCk55kxXX zXF$=G?8Kha6+{(z(SBZaNby?gO;gsxppCn|8AQ+zN_5P;>08ojj$*BcI?4ap4sg(z z3-s!O)z@~$(ILM(^)&>)q{*8>GLOXa?}mgN6AU{`aiU?Lxsn3vBvpx8TG;-8C%VrEo>h{! z1)^=3;X=O0*dHZSu!4rI!Mi1JSFH2m%tww2>00dy1xYGOkH32U6@AfyEBbZyOF@W{ zs+X@-cUFVkMjHa3?%A7PeYxeeO)k?!qsD}KHd;$;&|4isZtmRN@L&x+clmq;W8-xdL(P@^ z`N;PJr#TB+H;QtV_>^HhA3m&?CnKm7DKJy40+6(P%h$XPF`>-8rd95)GnTB!rN&~4 z)S~Q0em;Ev7y=hP-#E#eXBi!Wm>z}{BLJVVcF4MntrpfMzh}SVmqUw=YhO(mLhXq& z)1&9Z^0S+)sB9!kuE90dhc_tkEtM4rWgq1f=7ZC?;?`ekeDi-i4-bGbC24o`5Y=E> z&AbsoP<{ejMB$O=dmnsrS5fguLVijk} zqFR!X0wXhl?~Cal&al+2M{_;@!B?vyY=8zP2Wz4VzAN_qR&<*r!rwxn3;=oiu_#GG zgnGebCbmP%l4xC9Uz`ryQF~Z7P^3|^m(YP`@~ft3xZT(fLwhiA^;0+MkV5-QI*H(7rww zjeNC=b}NIL`r#cpuU$oJCa3!4f&KOfRx>P%NUnL?&>+K~vPyUa(EYg2NGk=7g5Oi?8$Asc~J0B{DvZ}&@2G+#(X|RxQ#M3I0vj5EAt+1+IVYc(o?0F$?9dPQ;eoGCurI$OK0?e{Ac3=2q+l ztAD5?Eidir96FrZm92&1d*}@xytk&mZLZ_4p3lZcU3?%Ze-Cr48B{IjE2T|U31G@# z{@vG>AuhC?_lPg1J~EST z3!NG-G4~PYl;hcpClouzz0|;Ck}9G&a8K^BoGWJ#ZE`zFG|tXIFB4)$Cu{CZ*Yq~A z$&383SF-3lcxK6W?LyE3+BV7g1kr2S#e5HWbe&nW4pj%ThPq~Ntb%%pHh#WbB^{O= z(nk2bk1Z9ugH}LIfvI606k&XZKh97{(K=kNefpY*Wo*;GCP3A5Ajj!N^Eppbluo<2;X^HaLIK5RX??Z8(d&Sc<%YWOgTn5q zhKV1zZ`CuH&v}>LzdC|Euh^Ps+M0E+6RjJ{pX1UmTLi*(ChOKrsgwA7EmxbKec@B$6oqK8cp}SMomTP<=2JF;;!zOfCLDedkA1pD)Axf zTOLO;QozHaUUI75muzq2<=I+nsX{-*V0lfZ|7< zcGc^78=-`$fo)YQ^4znNi_+$r@g^H}cmLjPc*uyq^o)d}BG)SOvaJGwiyMB|OC;{XA93@Vt782Gcy74hc4R%7talhTc>asB}&?Wchl$8O7|e%WQ*+={V`H{J|03IL>QS@xpu;Rl;Mpp7j*}c~Y9lC?^kZ zJQa7=>)CXA&uy0zMdXq{JuH}v2J0Bzeys0M&^5$Keh(OIr=kjryh*{A8l+<&&bq%K z@J?KR5LdchDfnzAC{1{HcnJ*$Z8^H(_%}(MH!D?|VH}Pvr3NPBk;-ARlT!`$FN$7!B%F%g{b>oADX|41npb%1gu9=F)iZiaX zGowUW-5P#B@tfPgFbeASe_NT7=B2qA}9#@uBWBVr0%^)Jt|9 zv7!hXuMhd4Zd&YS@MbmjN*nwzY=t&o$vu*{g0>Tt($EaB`*<~lV65*=3J8{ES=G;=MyHlJ`i*I`9{m3YLx zy|}t=@VZbRcQZKxY~J{~gDL2-?va~miZ%^}+)!Q|#3M`b3^pj~JIvw1spH{WhJ&JR ziEXjP#W!*YUrzB_$^Mz;EUKqW#bq#5&J-JFwgY|x{QZ`WcM3B}BI;+Fv^ugxk4xnD z89j>2RDD1#-cY7?#ZCuN%GE;zcT-rDo3TtJxYm2rm8Jve?cA5Mjl#XHN^7m&!Cs4U zu#C3bY|w(vV|K<9cu-j$#a(m6>txz`_c_BGITpmMK&2>KzM(q;c+VGT-8B9tS+Z74pbGLwrVOPf`==|sldN{@G9IAy~m+j4eg=Xku@tvv>9U_RS{zDrCuea3A9 zxhs!9$*$^!baXZra@#{vx-Xz>iL63gm!ZAO8ih3IdmvYr7p?&?oG&f~c}e{N9tYs* z$(Tgg(POJCJDK0ZA5^v&{TWrb0yc6*uE&6PWSoX~62uN$oj&$#mwzj@TMOFkLg;s= z2$3F*BkpZV)=O<_v%@v@!x3H1dv=`K=UP|ADF}ZT5Bfz3_I6fB5f7_EXY~19Q*Jq5 zV20*ey*cutOsawx7|z`kq0^ZJdBvIOc@wMR?L-o@OY=78!S{p};&ElTbA@NkxJu20 z=gk5(M6f=YLPMJ-SDb+4mKvm`c95tE`n~rPo45!0V<;*5^)l3?$HSG}A}cW9{9vm~ zw%#mx?yTn{6lL9*J;qS6yD%cetOhGec9XU&Xl`9=#XS0qnT(h+;-})$qfMf|otXXC z!*}$B&_UL%`^;JN89MfKh{BA{#wB>iPmWLX9arB=-7D10GTWn1uTt$Y zifp7=o1>KlSS>}t4>R+ImW#wACRp^je8Cg|oAOp;t-r<1lgO7IEoS3;vas3>X`M#T z8J#PIw#KiozG#E`UQ8bf3DO(Urb3nQ15i;si=dJ|FeshAqab-bey{%c_A+^5hJ|zz zN##DAQ@H5;MA8^ASP~Itd(`rHt6Cb4NSH^+kH^_D6_@1Nek~Py=aCF0k!fG5}kVn0;uhvd8Bk4UJ z^#Ew3UB&r)*s9_GcnXYKuDC3-<^adjxNnx+dfg^rgHc4J;yH%9rPA)vx^j7yKq(a` z4S}?mpB7x>sh$PGl<5u0-M#CIPZ{{X^f}Fap9YZVc3K3h6piSn4zrz9Gufa-v{JX> zfy2EUZnaI{pJ_=iVbg(&W%brUB@UjLo1kU(M$D z`|5_ZX^d#tjJ)2lFI} zTtSP2X0^aRiNOvqWb!|cYe!NsW>$Brp(q$XwccFH+DqiW@d~3`q-y}Q8a36_3bA2J zk&+0o5y76kpRUizvADd)gL0=aY&OHNHk)4gR4P;%K;r*Xsm0?QT9#oxSTZsG)mx_% zF+QF(2M$+$aT+cM(hI*06}>&Ux_Fx3WN&syK_q&s6rkW3!PyoTrGaftpG!h=3t#5? zH5IvJxdd4u8e_S$Mq`}G)jz&2$iD@uGHXDieo*+!B5k^)doKoh1R#9h;s9#-r`F;llOK!W-v>`Q-A~UU*Beb}O2E*%rad zt+HZYAvaT2c#hbJ34Lcb#u&vjsNKAbIi|}QLYvyP)VH@*WaFGMBRbs?zW&9KR&)80 zGH9njpACB+XBraKI0?9WKAISHN{k`hIC{C0vGi67jQDBC zJ?3Plr8p#bvG7E$#kV~;e8x7N&dzAMokl?ha`>0X!$&@(uU2QkaMHuL#hx7&JGR*t zh}C>`OPpvsB2%&TUeL}Vhb&C#lGga$hF`^jLr$YQE+iBb@%;#wDZE|)7Sxaan3+3) z`z%LS(s@24u{V6l$p2%z69NcanA+lN3>IQZuVbPVV0i?X>lc2jfS3DxiVZIy@9oBNe1baP}ly zyki)O4OGvP(^?x;ayRqi!na>8h!IPkZIo;m2Gn8`9Xae!pd-WRa1jgV_ zISek3rxJ!0P2t$1woc?=Vju~+#fiag_JCkN?@z}05)qJq3$v4dG9|1Mch!3o{xv5u zI5m^eK$pLwuNrlwD5Iq7Zs*pkCdBIzf#hmsqxHRQ^U(bqb%K5my@=XcT3o&oOOf8n3+h z0^GSbQDodb8sWzcYBRC@5bY zWGG|)7w}ttHxvm0Rwzwv@T`pwYn=r0C12{5I~BU1d9=omBL?~dzccDto;aAlhEH?M z`}$Am^m}lR6{$)oBKAx6XhR*>-sc=2@m(cG;QG9bLA~HB%DW;tMQXI!Lx7AU3tD+; zjKS^!f<|WxNnIS4ta}LJl@4e*rY6Snb_p$78yE@}zCXZ+&hF~I0!b)7i+$#W%ql49 zv@x1JnxX@31XO9~zy?7RMj2$9bNBaQywl@uRbfcrIG z@7H6^lde|y;WM%A(=g^9Uj|mYJQKi@fj8b^aLi1u=ac?sFk|&N!pW2B?!h6Jz@Y<7 zMj6)Vl1AQw8Lh-kLKA*la>}3(Fqp<+u%Ek+%*_IC5=a^J5)>=)S!tuD)+dq(o5d;n z-COwZmi>~3t6)f=wjERNj8DiOG3diy+6jaDJ5ip`*Y8i?ra@hk5p(s7_}atpwkr4X z{1wDhIql*6ki}Qy_GmtOe|+UqfUAjob}s2|+iIc7Ah`%PD@9W_@1BHyRB010y#f65 z2rgpbPm+WG#sY|fWk89)y)`D#M7Z_O{0s(Z-5T=~pBj!8^U2AEDs6FJqnWRtPqz)V z7hwGZLPC_`^_u+6&piv@)oZ|%rX{aGWsnhgC(qHskj}2oxn}^uBo_>qJ!9QD`*yW$ z@%W}1v%#1?r@Px|W$iObRSa3En8$4`c|DvpgMDWyMPR}zDLYYAgA&djpX45S4cOKH zN5qcX1TA#=Llm=)>(1O@?NnGiIKLT{Z<+P#@Ji_$Pl{TwzkIy&HS&1#x^VR7e9AwcxPnTuQsK22h3R8m)$&)U$1OfGvcwfQy!N#|KMEubV(4g z#jQz38@eUQaLKg1E!hex<4D|&RdUz`RRibVxQR*j@$RXLFfJl4_yP=i+Y78XB2cU> z7c62aW;7KP6pOxFX_Cbr?zbc#zgOV7$NhI0lgBVdk&sSek~E`?1UQ~Z*;V|^1*B0g zc+Ov>jJlpcq&!z)uSK$?TC^u*NQR4u1z88?QD=J-vB$fip9VjFD5!6!z};KTuHN4n zecyNi;&#AEFs$6LhTg`IPfYanpMd?To*Vy_m4F|GdnqGmAYu;>m_%osS}kc zkMhI1)KIdbu_4*IX&0yap)3rstpm790i*C|O-XkKR^aTUoa0yuLpHG=*%pn`c@X2f zZ4IilfnXqF3I=z@{}swQ(sKlio;JY(=`=K{2*5=#nO8oBT)CqMAM4?dF>!h8+io zmtJ)NlZ3)qjYezi_Zqp)TA{vDq)O+CA7w3xH|rWFc^czeV7m=nCx&z}p7uKL;~r?D zwyp#?M^GLwM-+%SK1DRL-xZ|uR z#Xs&;Z1hfK6bcJ-6=q*bzMELR{a*PsQyUQS#MNxE4Be-A?$X_Fag@J9;a}~J9bB|Z zJ-hkj`1ld*Ju@Q$zALlI|k@jwbFd`M6-M4@u z0x#$0j~bWf@|Rnbok>4SIWG}ZKcRg0rJ}g$Y5p~gJl|w~TX;W_%@0A3yB@p7Req3+;CIg1owlxOnTCBA9ulzc^weEhey&{oB?hWjK&*ibowNrJ;fTN+giS!#}auRsq{tybF-+wCw;w*RS=@~umn zg54|@rKWYDH{Pl6C0-9@`D-GsGt(+<)i5{kJCs{;KzX|I?5kP9kZ+mtHIF ze~bVBK6|3-{p;qdUH7t5_^994<|6&)TW?b#foiRvsK+;)N0Sov<-X&8#kCSuG*h-q zlG=PnyP@Y1_P%Pm6BW^aGbxk1l;y@1xu9Le5&u3a&DIA@yyh>3dDTh@_eF6 zAfH%e{b?Wp_DPY0^=p|>-i`klZF3uy5`08YmD3S+epC0bQu3nuB02valt6YoAY%J$ z^XKd}*}K}4FQLl8`VwWY+`;&}WCH(<HoeQ;lw2c1%a&!y+0_&0^Q*qOBKptTrL-girW}w zT2J4-9}jh63ihYSy)zm!tuW7slYX;Ye-pg}bF^CPkDZ|(_>)TogqXAsTk}krPYz42 zczse$sO96I5lX(l1B#u7sms}7EMNDs9n(Fc5RxABDIZULjsLCUtl^{tJPx)9&XtNQa^^|1z0K3n$r-M0TydTN6#xvSgA zerpgYH|PH@i1X~A+*la@VosBT38owr?J1eCJv<1kY6NYVUi@8#uyZ7vp?*r{*j9gl z!B*QDTdIMF?bYFQr2e$~SL*#$CWUiSemhQT_lQ=(BXr?0L?N@sK54RXq`|f_G^}QQ zbLTZIwz+>+Y)l2u4=0W=HDg-_KbxPZ(s#%oG=%?Z+zZJsq3>|kabgW(c1wN; zggi1Tc_Ff``>Kt2GwxpnpuvXZrx$hBRN=*T!KuuP~>QDi(Lpm9m3svK7Uh7?KlTZ`K{81(0AN3|!AvGVwv+6%y`=x7r6w1>3k0 ztA&c=Yg}nXYGG*>dp`8-T~5?%?o3fM-N6j!_c89FVn{@OLxv9pc07zP1K_tZhR0rgYYah`Cz|(zxSS;!XPJ-BKFjr ze|o!UPcGCpASpjssBJ@+7M+{1>7lCloTz#iwK`pNAkBu>l&dd7m_bFm)jB$^%E=j< z&q;7y>0HitySXcNqBc(-KUwqT4%h^N9$e_okeWle45ku<{U4N$_V|Bg24L>~!MrdQMt`Zc^0?RLON~&| zQDRLV<8MujDPtNNOH$;ySSYn2W$m_+j&?u+!&>ERxn~&-7a}LzU7z|f$~G7nSo)+na7R6 zet%tf`|4{19t(^dIf2yKfzP8{?2bx`e~=ZjxaK_}Q9GWx`9_D^J)h?${#=+lO7h@F z0EU~zpGdGoG}gMMcwi*SCT`#iTlTc3m;RmzW4SJIvb^5faOvFx}n^rR;px< zc$kF!2O(;u(L|1Y{7hS0+B*SnLU&E88u@#lg73;J)J&cBbTDn;4va7rbXV@Q=vJ1e z6@Zng#(?N%OxD&^dn{RAweRx;K zXfZ;lVR}YFLs6Sm1hJA%vw;1?@u`pL#G5t6s3M?TB~S%$i^}0WU^QK}SNnU$iV4E3 zSGYIN(c<;q(N)$uKnF_`T_F6S3HQG6crZs8HPxc*Bu>%Z9-KriwMgBC{ivzx!}9>P zZK=pY&+P=hE+R)m{$qT3>dTP{A`v7WkreHQNSHT45O46VSy8y3_PP2iGsMcxep>-w zOBwj4KSANgbQmk;VC!CuYeea6yz>y(w((DAjecXvF%8-!tPY$+0qY;Q?0r~#SR@@D zNpupQJlD}6&6_ivaw(8=gP>}rj5;79!dh&1FlS`$-59yWfU&=0F!~EaUhPDflc_$W zHghmiU=p48ipEGqAB^2VzwWTX5Sk#ofw*rC<01Lc;s77zyEWFF{a`+|ZftUtU+Y0% z(zWK}{rRNQlB=$$zmk~Qnz0xm>|tikKCm76LIf?*Tb~*MO5wm@$hImEjv|7^F5=iQ z-t8PScsy894ss+Cd%HF9%&YOrZANm6MY#m3Hhj2Gqt~NdOiB@zd}M6!-y_sViuH#{ zRry&k2Ulaz+;b*#b6&eKWnFu&L zHdI@>x~Li-B=61NjiM?9yg}h*3p<-*YM#`@UqxtH04ya4IAM~YG?i|i*=4#tx?t~{daQ*6-8BDSXT zQ*=3F-yg_R3?;H-N6q+*Mxm|RM#1PIpwe2lqSoDv(RwoIX@8f-{4I$3lUe~;a1_o; zZyqu_hjw7?u$hxX^zY@0s6&REW=bghF^PJ(ZRJ>G+HT>NoPc**y?nBlXhqBndT`qg zWq7ATc&HJ{XQ-1u7sK-&qTNZN+N(2-5`#-M`=iK#C-f@sJxT&W67jJk-KkIjGJ)9D z=QYq=x1{b*E^RR5mm6buirTL!nXY%4ht>W8&cAW5|I8B^pow6)#Uff_Hlt>kXHz0| zkc7qtRNUpfmmwMNPI(ekwFS+}!qIhhQ3$F#X=GkZ&JsD8j>!rD_!RIwG=p02;TJVK zNR6?@Y5xR~CI$!6PR4%CcXdQT`WR)j5vG036FQ=>M=2h=4ESkA1UNYsm)As~g7$Dy z*}@Rf`F%E+zsPVi>T4-hVWSKe$YaA~wM2<_Aqs`_)YnoMZgF#qN-363d4WefBf*Kp z{qBv5?nF9`+FbQTy}Uw^V7rExJ$DDs%S>= zWRRmeJ)#Pno+BEuCpYU{DxF5>>`@9@ zQ+7p8hcot`!)rEhzEyxhA0mbB1erxR(8)gu*r2`Qg)RRjK{W+mwAST-Sbz;gAT*eL z*8&C`?|P1@s05_5lPPAl8iv=fGyFW=e6BT`G&SUIXoM^Qu#|u^Ll_!f%$`rH;Rx-L z$@FOpkl($qz9%$M&k2X8H8+YTrh>D7EY$qI^%&&LJUcV59UUU!(K^tc!N6%20HXRK z0R6$WoW5$NW=j(h(d7qkZhAsnW69ge}Z-Q}A+|CGg?*FF$)W|^O7kH_wjGoH|x z(VIP*L6LWX=>sno?0T=nA$I~k=^&Wz)ZqNUeM(nxT{Fo&ywbqKPXT|BgcvOho!@&o zUM@ucCrF>~L~r@7D7!}E<=oJX{(P_jUugtgY6E{mR?{6w z{yo;?l$q4aZer|&Ha|ZvB0fsUiYaweom>>B=TWp{?dJ|x7c^I%+A6{932rk#$-Cj&|VPDhN)^XQjo!<3^*U= z+y^Gv6P`dCi42zjniEvIRFF*B3ge3+NhvTM=C)=ts_PA3$>bPtBFXY8@W%j>zsr^i zKrS`DGP$Qh?QuJ%_Sf|N1w3e6zC(4F;K{_*j~ykbewQWE)UMLkYoOH*1Rl1!%3^FVNk2f}amtgEbqDw@_TDR<9G zyS&NNl8I#1Qede1W8ueto=sPl5sp4PJyeTYs)QlD;4CX%+ZW)}MkfB1F=jHlSxC6_ zII-?v7+yB0m*15Kej98uMpY_^y+DbQcOM@{loPGLQ{9C?3l7`^nsD8IU*AlD828U9QAjTFf8blAp;GKpq$!Apw+RMmWrtwMyH*wm*R7LpiN#|(qb># z94SwFY`#MnF6j0f;$aP^EK*)Ti=#x4VSRLKP5yj7(jz zepEc__*o6Nk%+;OZgOM@e8x8}8lqN3#7iAy#pr<`FJ2-q*iO zZgjc@%tAAX6o^L`GCCgAh)T}HWf!LB`m++j{sSD6uD#EgCRKQ z)b(jZBLuk+Cs&{~m9^ycJ?3M<;ryKd1I3vhlDqqFq~7}`ZR+)Dr3j#OVRyB;P_c}Z zXgh-9v`0!23^y)|y#OQti8_pra5_U1zFM@Z^@Rlu!;mg__tuzl|Fx(T2$TYyA|+IU z`WqhzlkvRH;k*qzY)A;E z3`NE~E9UNj6B_G3hVxUAV8r4pT*;%iR`ZYfig(AFaAb<3>6ZoX$}TA?QX+-mS5Uev z)wK=t2w4fzx72&01W-#>D&r}~@wK8hUp0B%&>ufhkXX)8&Z7u&lq*Gu;RtDzmrI!v z32ZZFH$_I%`^YPtZ^kn+64?nd(a+yRs3Z-Kj)%4NqAElgpB$JVF$`)vfrsyAx0iX@ z6gS+y-WT$AcF8Pq*~LdVDXp4@)bYMZXlq!}J1__;yO|>K3;nE3e?>)hUN01I_#6}m zNT!TJrtRcN*To>n9-00kSiv&L<`z`*#il0N%_do=-ggqo-+zitlBquUzK`wSkJ@Je zN4UN(e7(B>BtGk2cnlwIJW$+ji@Pb}fUuu!_>1+GNoM?uUf1{0p?c#A;wN>|Mz|Ti zFQ%Q$pYV3DzIz16zl66R37D80QDzvlBh)tA+Dv;=GI;GMFEt)ec{i6gfw@G$qP!m} zjlP%E?)O2h^WFe?hH-46_x)8iMXh@K5faKx9nh$i&msk{4}qg>t3D1>FfzOh&UrscECRm&k-B_oqB1WHewnux2ZHx?Ag=LBHgBz!^ zR)h098dA%&!`j3+MYqD;MZ9Ggw=c-(312k+-tTMt?~K8WfauLdyI=iueTWwZwJgwXTz1%f_ z9r5qR<%m}YBL>tu zgKmO;bn3u(AFxv05BwXAH{|EH9_v|UAP6_QL6&K-*`wY<+-{CcKpW z+K5x^-L%c z-;$5-kzZ{zXE2|4zUYwKu0|C09mjZHdVt~V6Sv|X3N7oE*C+qpky5M17QUPV`_Nj) zN1q)(Oh0$Ce}WG(#?sSL8w2?vj4vI(F*z_nxC_#!{D%kLeo7>Vb!37oV2tsA5Os3* zPs?`*s&^APCktJzt2LB=CSoS1R&kYP=nba5glev&&g=DR3dxxy4kfi~I2C`|N``t@ zk26ZWG*Ce%+7wrjada`ql~(=w((@XakJSZ{7l^(C0M_H>JoDtRRQHL`Z2M{)Q8IFe)}|)!I1}(`<71H{@&inX{2wAmtlA*(YT1u9*b}V-&iBP^3*bn;pnbu zYz;&&zTFh96{{7n_ct@`=4dG}cx7+7*8>c}a{G$edX|M1+Oud!H>A*lU{xcgS!qh6COX*hm7vC(YB zd9xr53{+uZ@reZrMHI|2jf#O$WWF=2pxJ_xw^}hK#ibS_3EHno@X;ItN#$?Y(0}tl zJczgbEdp9FLZuR_Jtou8?_BM3v9HFmta{j2;94$4swdd&5udRya`k5Ww-lsjgslk& z8Wod4#=)N4W6$M+cddKJ|3Hhbj~};@(cm8(W)`wQ)Nf$AIEes@;VNjKo1I5Vu48WTEGgJQ3>V=!wTyxqwV1B&%vOk%T8}Q$LA~wUXmX_n7qllN+z4eKbGRs3^qE(Pw#y4jr9x;bqdh}7yLZ7;#_+L(+Jw826YG)) z(T45SJ(A>8DyT3|-Txkws&~TzpufJn%^_L~hnaZ^G#Z3cwSt?UWg*zjf!kf+N~sfdiIG7k4A zWq_Ndtpb0!Ff(|rT#mKBOK!1$D;+%@EO8XAhk**>(S?ED|Ep)qZz`&9z+JAHpMpjX zO$~o+5*e~0cm7qWsJ!Yg&5+ao(!4sY^;KiI=yGu>4d|~v6LX`hDp|Wu8DLVHZhE@Ut?7e`#CWIk3 zk{Ae==iiIXLg(D`aeMTQbebrp<2z9rcppe~vQpTJyU#`}T+O*ON zSe);C-AqU>_@A1=k4~D=4#>97^qIdzG&wB9Dtv8luu>G~an)mOu~Fa{tsEDbPZKz- z4mrhgjNL6g75Zf%7E%}ngdP1yrjg#VXDLM>By4& zXq-svaYA0FlGwiF%bGTt|FdeFv_4yI&f~T_qd6Eo9su<$;^&n% zEI&!5xY;$RR{*cUn{`^Eb#{91t3Mjn(^_6ga@w>AIDO%qbmHt;*StJE54p-)->y$B zdeVORLEjNih1U)p^CrshgWLf;|D`aBMHYA;%s+i_cnJWRzvi&W0V$vv9d_!VW(|nF v=)5P$6(IJD;xvYe(#y;Ky@Sd Date: Thu, 15 Feb 2018 17:17:36 -0800 Subject: [PATCH 2/7] move topic up --- ...ows-defender-advanced-threat-protection.md | 51 ++++++++++--------- ...ows-defender-advanced-threat-protection.md | 2 + ...ows-defender-advanced-threat-protection.md | 3 ++ 3 files changed, 31 insertions(+), 25 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 3d6c6ef939..4a952a3d15 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -30,7 +30,7 @@ Windows Defender ATP supports the onboarding of the following servers: - Windows Server 2012 R2 - Windows Server 2016 -## Onboard server endpoints +## Onboard server endpoints [MICHAL - SHOULD THIS BE JUST FOR 2012R2?] To onboard your servers to Windows Defender ATP, you’ll need to: @@ -40,6 +40,31 @@ To onboard your servers to Windows Defender ATP, you’ll need to: >[!TIP] > After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). +## Onboard Windows Server 2016 +You’ll be able to onboard in the same method available for Windows 10 client endpoints. For more information, see [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server 2016 provides deeper insight into activities happening on the server, coverage for kernel and memory attack, and enables response actions on Windows Server endpoint as well. + +1. Install the latest Windows Server Insider build on an endpoint. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver). + +2. Configure Windows Defender ATP onboarding settings on the Server endpoint. For more information, see [Windows Defender ATP client onboarding](configure-endpoints-windows-defender-advanced-threat-protection.md). + +3. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly: + + a. Set the following registry entry: + - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` + - Name: ForceDefenderPassiveMode + - Value: 1 + + b. Run the following PowerSHell command to verify that the passive mode was configured: + ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}``` + + c. Confirm that a recent event containing the passive mode event is found: + ![Image of passive mode verification result](images/atp-verify-passive-mode.png) + +4. Run the following command to check if Windows Defender AV is installed: + ```sc query Windefend``` + + If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). + ### Turn on Server monitoring from the Windows Defender Security Center portal @@ -79,30 +104,6 @@ Once completed, you should see onboarded servers in the portal within an hour. | winatp-gw-neu.microsoft.com | 443 | | winatp-gw-weu.microsoft.com | 443 | -## Onboard Windows Server 2016 -You’ll be able to onboard in the same method available for Windows 10 client endpoints. For more information, see [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server 2016 provides deeper insight into activities happening on the server, coverage for kernel and memory attack, and enables response actions on Windows Server endpoint as well. - -1. Install the latest Windows Server Insider build on an endpoint. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver). - -2. Configure Windows Defender ATP onboarding settings on the Server endpoint. For more information, see [Windows Defender ATP client onboarding](configure-endpoints-windows-defender-advanced-threat-protection.md). - -3. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly: - - a. Set the following registry entry: - - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` - - Name: ForceDefenderPassiveMode - - Value: 1 - - b. Run the following PowerSHell command to verify that the passive mode was configured: - ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}``` - - c. Confirm that a recent event containing the passive mode event is found: - ![Image of passive mode verification result](images/atp-verify-passive-mode.png) - -4. Run the following command to check if Windows Defender AV is installed: - ```sc query Windefend``` - - If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). ### Offboard server endpoints diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 3027bbe7f9..93789c9802 100644 --- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -128,6 +128,8 @@ You must configure the signature updates on the Windows Defender ATP endpoints w When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy. +Depending on the server version you're onboarding, you might need to configure a Group Policy setting to run on passive mode. For more information, see [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md). + For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). ## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index 17df4fab03..9e6ca0a733 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -47,6 +47,9 @@ You must configure the signature updates on the Windows Defender ATP endpoints w When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy. +If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md). + + For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). From c786da7ca1b5a23b809189aa9d209e333e0118c7 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 15 Feb 2018 17:19:30 -0800 Subject: [PATCH 3/7] typo --- ...ver-endpoints-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 4a952a3d15..808f13b4ca 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -54,7 +54,7 @@ You’ll be able to onboard in the same method available for Windows 10 client e - Name: ForceDefenderPassiveMode - Value: 1 - b. Run the following PowerSHell command to verify that the passive mode was configured: + b. Run the following PowerShell command to verify that the passive mode was configured: ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}``` c. Confirm that a recent event containing the passive mode event is found: From a5000d9a87891ce37bd420a087da56251e8c8fab Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 15 Feb 2018 17:21:17 -0800 Subject: [PATCH 4/7] section rename --- ...ver-endpoints-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 808f13b4ca..6f8b1c72b7 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -30,7 +30,7 @@ Windows Defender ATP supports the onboarding of the following servers: - Windows Server 2012 R2 - Windows Server 2016 -## Onboard server endpoints [MICHAL - SHOULD THIS BE JUST FOR 2012R2?] +## Onboard Windows Server 2012 R2 and Windows Server 2016 [MICHAL - SHOULD I JUST RENAME?] To onboard your servers to Windows Defender ATP, you’ll need to: From 77882d8b0f01a6668fa8a2d801ffe5e4e24d0da7 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 20 Feb 2018 11:11:33 -0800 Subject: [PATCH 5/7] move server rs4 section down --- ...ows-defender-advanced-threat-protection.md | 50 +++++++++---------- 1 file changed, 24 insertions(+), 26 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 6f8b1c72b7..18a0c2a445 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -30,7 +30,7 @@ Windows Defender ATP supports the onboarding of the following servers: - Windows Server 2012 R2 - Windows Server 2016 -## Onboard Windows Server 2012 R2 and Windows Server 2016 [MICHAL - SHOULD I JUST RENAME?] +## Onboard Windows Server 2012 R2 and Windows Server 2016 To onboard your servers to Windows Defender ATP, you’ll need to: @@ -40,31 +40,6 @@ To onboard your servers to Windows Defender ATP, you’ll need to: >[!TIP] > After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). -## Onboard Windows Server 2016 -You’ll be able to onboard in the same method available for Windows 10 client endpoints. For more information, see [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server 2016 provides deeper insight into activities happening on the server, coverage for kernel and memory attack, and enables response actions on Windows Server endpoint as well. - -1. Install the latest Windows Server Insider build on an endpoint. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver). - -2. Configure Windows Defender ATP onboarding settings on the Server endpoint. For more information, see [Windows Defender ATP client onboarding](configure-endpoints-windows-defender-advanced-threat-protection.md). - -3. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly: - - a. Set the following registry entry: - - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` - - Name: ForceDefenderPassiveMode - - Value: 1 - - b. Run the following PowerShell command to verify that the passive mode was configured: - ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}``` - - c. Confirm that a recent event containing the passive mode event is found: - ![Image of passive mode verification result](images/atp-verify-passive-mode.png) - -4. Run the following command to check if Windows Defender AV is installed: - ```sc query Windefend``` - - If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). - ### Turn on Server monitoring from the Windows Defender Security Center portal @@ -104,7 +79,30 @@ Once completed, you should see onboarded servers in the portal within an hour. | winatp-gw-neu.microsoft.com | 443 | | winatp-gw-weu.microsoft.com | 443 | +## Onboard Windows Server 2016 version 1803 [NEED TO CHECK FINAL PRODUCT NAME FOR THIS SERVER] +You’ll be able to onboard in the same method available for Windows 10 client endpoints. For more information, see [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server 2016 provides deeper insight into activities happening on the server, coverage for kernel and memory attack, and enables response actions on Windows Server endpoint as well. +1. Install the latest Windows Server Insider build on an endpoint. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver). + +2. Configure Windows Defender ATP onboarding settings on the Server endpoint. For more information, see [Windows Defender ATP client onboarding](configure-endpoints-windows-defender-advanced-threat-protection.md). + +3. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly: + + a. Set the following registry entry: + - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` + - Name: ForceDefenderPassiveMode + - Value: 1 + + b. Run the following PowerShell command to verify that the passive mode was configured: + ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}``` + + c. Confirm that a recent event containing the passive mode event is found: + ![Image of passive mode verification result](images/atp-verify-passive-mode.png) + +4. Run the following command to check if Windows Defender AV is installed: + ```sc query Windefend``` + + If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). ### Offboard server endpoints To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP. From cf3243c09fd95fb36f74e08ff3b407260331a7f4 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 20 Feb 2018 14:01:48 -0800 Subject: [PATCH 6/7] update server version --- ...r-endpoints-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 18a0c2a445..32e7b846b0 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -79,8 +79,8 @@ Once completed, you should see onboarded servers in the portal within an hour. | winatp-gw-neu.microsoft.com | 443 | | winatp-gw-weu.microsoft.com | 443 | -## Onboard Windows Server 2016 version 1803 [NEED TO CHECK FINAL PRODUCT NAME FOR THIS SERVER] -You’ll be able to onboard in the same method available for Windows 10 client endpoints. For more information, see [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server 2016 provides deeper insight into activities happening on the server, coverage for kernel and memory attack, and enables response actions on Windows Server endpoint as well. +## Onboard Windows Server, version 1803 [NEED TO CHECK FINAL PRODUCT NAME FOR THIS SERVER] +You’ll be able to onboard in the same method available for Windows 10 client endpoints. For more information, see [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack, and enables response actions on Windows Server endpoint as well. 1. Install the latest Windows Server Insider build on an endpoint. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver). From aa5d134f9ad64ae29d1b72bbf0c41896e9bcb76b Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 20 Feb 2018 14:02:21 -0800 Subject: [PATCH 7/7] add applies to version 1803 --- ...rver-endpoints-windows-defender-advanced-threat-protection.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 32e7b846b0..770a75c997 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -18,6 +18,7 @@ ms.date: 03/05/2018 - Windows Server 2012 R2 - Windows Server 2016 +- Windows Server version 1803 - Windows Defender Advanced Threat Protection (Windows Defender ATP) [!include[Prerelease information](prerelease.md)]