deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into whfb-rdp

Browse Source
This commit is contained in:
Matthew Palko 2021-03-08 14:45:22 -08:00
commit 3423f0e6bd
188 changed files with 1118 additions and 751 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.acrolinx-config.edn
View File

@ -35,7 +35,7 @@
"
## Acrolinx Scorecards
**The minimum Acrolinx topic score of 65 is required for all MARVEL content merged to the default branch.**
**The minimum Acrolinx topic score of 80 is required for all MARVEL content merged to the default branch.**
If you need a scoring exception for content in this PR, add the *Sign off* and the *Acrolinx exception* labels to the PR. The PubOps Team will review the exception request and may take one or more of the following actions:

10
.openpublishing.redirection.json
View File

@ -1699,6 +1699,11 @@
"source_path": "windows/security/threat-protection/windows-defender-atp/manage-edr.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-edr",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/microsoft-defender-atp/manage-edrmanage-edr.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/management-apis.md",
@ -16535,6 +16540,11 @@
"redirect_url": "https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventory-table",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr",

12
browsers/edge/microsoft-edge-kiosk-mode-deploy.md
View File

@ -162,12 +162,12 @@ With this method, you can use Microsoft Intune or other MDM services to configur
| | |
|---|---|
| **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**<p>![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge Legacy as a kiosk app.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode<p>**Data type:** Integer<p>**Allowed values:**<ul><li>**Single-app kiosk experience**<ul><li>**0** - Digital signage and interactive display</li><li>**1** - InPrivate Public browsing</li></ul></li><li>**Multi-app kiosk experience**<ul><li>**0** - Normal Microsoft Edge Legacy running in assigned access</li><li>**1** - InPrivate public browsing with other apps</li></ul></li></ul> |
| **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**<p>![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge Legacy kiosk mode resets the user's session.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout<p>**Data type:** Integer<p>**Allowed values:**<ul><li>**0** - No idle timer</li><li>**1-1440 (5 minutes is the default)** - Set reset on idle timer</li></ul> |
| **[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages)**<p>![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge Legacy launches.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages<p>**Data type:** String<p>**Allowed values:**<p>Enter one or more URLs, for example,<br>&nbsp;&nbsp;&nbsp;\<https://www.msn.com\>\<https:/www.bing.com\> |
| **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**<p>![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton<p>**Data type:** Integer<p> **Allowed values:**<ul><li>**0 (default)** - Not configured. Show home button, and load the default Start page.</li><li>**1** - Enabled. Show home button and load New Tab page</li><li>**2** - Enabled. Show home button & set a specific page.</li><li>**3** - Enabled. Hide the home button.</li></ul> |
| **[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**<p>![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.bing.com |
| **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**<p>![](images/icon-thin-line-computer.png) | Set a custom URL for the New Tab page.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.msn.com |
| **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**<p>![Icon Mode](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge Legacy as a kiosk app.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode<p>**Data type:** Integer<p>**Allowed values:**<ul><li>**Single-app kiosk experience**<ul><li>**0** - Digital signage and interactive display</li><li>**1** - InPrivate Public browsing</li></ul></li><li>**Multi-app kiosk experience**<ul><li>**0** - Normal Microsoft Edge Legacy running in assigned access</li><li>**1** - InPrivate public browsing with other apps</li></ul></li></ul> |
| **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**<p>![Icon Timeout](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge Legacy kiosk mode resets the user's session.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout<p>**Data type:** Integer<p>**Allowed values:**<ul><li>**0** - No idle timer</li><li>**1-1440 (5 minutes is the default)** - Set reset on idle timer</li></ul> |
| **[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages)**<p>![Icon HomePage](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge Legacy launches.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages<p>**Data type:** String<p>**Allowed values:**<p>Enter one or more URLs, for example,<br>&nbsp;&nbsp;&nbsp;\<https://www.msn.com\>\<https:/www.bing.com\> |
| **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**<p>![Icon Configure](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton<p>**Data type:** Integer<p> **Allowed values:**<ul><li>**0 (default)** - Not configured. Show home button, and load the default Start page.</li><li>**1** - Enabled. Show home button and load New Tab page</li><li>**2** - Enabled. Show home button & set a specific page.</li><li>**3** - Enabled. Hide the home button.</li></ul> |
| **[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**<p>![Icon Set Home](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.bing.com |
| **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**<p>![Icon New Tab](images/icon-thin-line-computer.png) | Set a custom URL for the New Tab page.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.msn.com |
**_Congratulations!_** <p>Youve just finished setting up a kiosk or digital signage with policies for Microsoft Edge Legacy kiosk mode using Microsoft Intune or other MDM service.

10
windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
View File

@ -86,14 +86,14 @@ See the [example ETW capture](#example-etw-capture) at the bottom of this articl
The following is a high-level view of the main wifi components in Windows.
<table>
<tr><td><img src="images/wcm.png"></td><td>The <b>Windows Connection Manager</b> (Wcmsvc) is closely associated with the UI controls (taskbar icon) to connect to various networks, including wireless networks. It accepts and processes input from the user and feeds it to the core wireless service. </td></tr>
<tr><td><img src="images/wlan.png"></td><td>The <b>WLAN Autoconfig Service</b> (WlanSvc) handles the following core functions of wireless networks in windows:
<tr><td><img src="images/wcm.png" alt="Windows Connection Manager"></td><td>The <b>Windows Connection Manager</b> (Wcmsvc) is closely associated with the UI controls (taskbar icon) to connect to various networks, including wireless networks. It accepts and processes input from the user and feeds it to the core wireless service. </td></tr>
<tr><td><img src="images/wlan.png" alt="WLAN Autoconfig Service"></td><td>The <b>WLAN Autoconfig Service</b> (WlanSvc) handles the following core functions of wireless networks in windows:
- Scanning for wireless networks in range
- Managing connectivity of wireless networks</td></tr>
<tr><td><img src="images/msm.png"></td><td>The <b>Media Specific Module</b> (MSM) handles security aspects of connection being established.</td></tr>
<tr><td><img src="images/wifi-stack.png"></td><td>The <b>Native WiFi stack</b> consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc.</td></tr>
<tr><td><img src="images/miniport.png"></td><td>Third-party <b>wireless miniport</b> drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.</td></tr>
<tr><td><img src="images/msm.png" alt="Media Specific Module"></td><td>The <b>Media Specific Module</b> (MSM) handles security aspects of connection being established.</td></tr>
<tr><td><img src="images/wifi-stack.png" alt="Native WiFi stack"></td><td>The <b>Native WiFi stack</b> consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc.</td></tr>
<tr><td><img src="images/miniport.png" alt="Wireless miniport"></td><td>Third-party <b>wireless miniport</b> drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.</td></tr>
</table>

13
windows/client-management/mandatory-user-profile.md
View File

@ -16,7 +16,6 @@ ms.topic: article
# Create mandatory user profiles
**Applies to**
- Windows 10
A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
@ -76,7 +75,7 @@ First, you create a default user profile with the customizations that you want,
> [!TIP]
> If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following:
>
> ![Microsoft Bing Translator package](images/sysprep-error.png)
> ![Microsoft Bing Translator package error](images/sysprep-error.png)
>
> Use the [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
@ -86,20 +85,24 @@ First, you create a default user profile with the customizations that you want,
1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
![Example of UI](images/copy-to.png)
![Example of User Profiles UI](images/copy-to.png)
1. In **Copy To**, under **Permitted to use**, click **Change**.
![Example of UI](images/copy-to-change.png)
![Example of Copy To UI](images/copy-to-change.png)
1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607.
- If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
![Example of Copy profile to](images/copy-to-path.png)
- If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
![Example of UI](images/copy-to-path.png)
![Example of Copy To UI with UNC path](images/copy-to-path.png)
1. Click **OK** to copy the default user profile.

20
windows/client-management/mdm/TOC.md
View File

@ -159,16 +159,16 @@
### [Personalization CSP](personalization-csp.md)
#### [Personalization DDF file](personalization-ddf.md)
### [Policy CSP](policy-configuration-service-provider.md)
#### [Policy DDF file](policy-ddf-file.md)
#### [Policies in Policy CSP supported by Group Policy](policy-csps-supported-by-group-policy.md)
#### [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md)
#### [Policies in Policy CSP supported by HoloLens 2](policy-csps-supported-by-hololens2.md)
#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
#### [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md)
#### [Policies in Policy CSP supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md)
#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md)
#### [Policy CSP DDF file](policy-ddf-file.md)
#### [Policies in Policy CSP supported by Group Policy](policies-in-policy-csp-supported-by-group-policy.md)
#### [ADMX-backed policies in Policy CSP](policies-in-policy-csp-admx-backed.md)
#### [Policies in Policy CSP supported by HoloLens 2](policies-in-policy-csp-supported-by-hololens2.md)
#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md)
#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md)
#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policies-in-policy-csp-supported-by-iot-enterprise.md)
#### [Policies in Policy CSP supported by Windows 10 IoT Core](policies-in-policy-csp-supported-by-iot-core.md)
#### [Policies in Policy CSP supported by Microsoft Surface Hub](policies-in-policy-csp-supported-by-surface-hub.md)
#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policies-in-policy-csp-that-can-be-set-using-eas.md)
#### [AboveLock](policy-csp-abovelock.md)
#### [Accounts](policy-csp-accounts.md)
#### [ActiveXControls](policy-csp-activexcontrols.md)

30
windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
View File

@ -23,10 +23,10 @@ To help diagnose enrollment or device management issues in Windows 10 devices m
![Access work or school page in Settings](images/diagnose-mdm-failures15.png)
1. At the bottom of the **Settings** page, click **Create report**.
![Access work or school page in Settings](images/diagnose-mdm-failures16.png)
![Access work or school page and then Create report](images/diagnose-mdm-failures16.png)
1. A window opens that shows the path to the log files. Click **Export**.
![Access work or school page in Settings](images/diagnose-mdm-failures17.png)
![Access work or school log files](images/diagnose-mdm-failures17.png)
1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report.
@ -121,28 +121,28 @@ Since there is no Event Viewer in Windows 10 Mobile, you can use the [Field Medi
1. Download and install the [Field Medic]( https://go.microsoft.com/fwlink/p/?LinkId=718232) app from the store.
2. Open the Field Medic app and then click on **Advanced**.
![field medic screenshot](images/diagnose-mdm-failures2.png)
![field medic screenshot 2](images/diagnose-mdm-failures2.png)
3. Click on **Choose with ETW provider to use**.
![field medic screenshot](images/diagnose-mdm-failures3.png)
![field medic screenshot 3](images/diagnose-mdm-failures3.png)
4. Check **Enterprise** and un-check the rest.
![field medic screenshot](images/diagnose-mdm-failures4.png)
![field medic screenshot 4](images/diagnose-mdm-failures4.png)
5. In the app, click on **Start Logging** and then perform the operation that you want to troubleshoot.
![field medic screenshot](images/diagnose-mdm-failures2.png)
![field medic screenshot 5](images/diagnose-mdm-failures2.png)
6. When the operation is done, click on **Stop Logging**.
![field medic screenshot](images/diagnose-mdm-failures5.png)
![field medic screenshot 6](images/diagnose-mdm-failures5.png)
7. Save the logs. They will be stored in the Field Medic log location on the device.
8. You can send the logs via email by attaching the files from **Documents > Field Medic > Reports > ...** folder.
![device documents folder](images/diagnose-mdm-failures6.png)![device folder screenshot](images/diagnose-mdm-failures7.png)![device folder screenshot](images/diagnose-mdm-failures8.png)
![device documents folder](images/diagnose-mdm-failures6.png)![device folder screenshot 7](images/diagnose-mdm-failures7.png)![device folder screenshot 8](images/diagnose-mdm-failures8.png)
The following table contains a list of common providers and their corresponding GUIDs.
@ -294,21 +294,21 @@ For best results, ensure that the PC or VM on which you are viewing logs matches
3. Navigate to the etl file that you got from the device and then open the file.
4. Click **Yes** when prompted to save it to the new log format.
![prompt](images/diagnose-mdm-failures10.png)
![event viewer prompt](images/diagnose-mdm-failures10.png)
![diagnose mdm failures](images/diagnose-mdm-failures11.png)
5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu.
![event viewer](images/diagnose-mdm-failures12.png)
![event viewer actions](images/diagnose-mdm-failures12.png)
6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**.
![event filter](images/diagnose-mdm-failures13.png)
![event filter for Device Management](images/diagnose-mdm-failures13.png)
7. Now you are ready to start reviewing the logs.
![event viewer](images/diagnose-mdm-failures14.png)
![event viewer review logs](images/diagnose-mdm-failures14.png)
## Collect device state data
@ -336,9 +336,3 @@ Here's an example of how to collect current MDM device state data using the [Dia
```
 

72
windows/client-management/mdm/policy-csp-browser.md
View File

@ -177,6 +177,10 @@ ms.localizationpriority: medium
<dd>
<a href="#browser-showmessagewhenopeningsitesininternetexplorer">Browser/ShowMessageWhenOpeningSitesInInternetExplorer</a>
</dd>
<dd>
<a href="#browser-suppressedgedeprecationnotification">Browser/SuppressEdgeDeprecationNotification</a>
</dd>
<dd>
<a href="#browser-syncfavoritesbetweenieandmicrosoftedge">Browser/SyncFavoritesBetweenIEAndMicrosoftEdge</a>
</dd>
@ -4069,6 +4073,74 @@ Most restricted value: 0
<hr/>
<!--Policy-->
<a href="" id="browser-suppressedgedeprecationnotification"></a>**Browser/SuppressEdgeDeprecationNotification**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows Enterprise Admins to turn off the notification for company devices that the Edge Legacy browser is no longer supported after 3/9/2021 to avoid confusion for their enterprise users and reduce help desk calls.
By default, a notification will be presented to the user informing them of this upon application startup.
With this policy, you can either allow (default) or suppress this notification.
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Suppress Edge Deprecation Notification*
- GP name: *SuppressEdgeDeprecationNotification*
- GP path: *Windows Components/Microsoft Edge*
- GP ADMX file name: *MicrosoftEdge.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- 0 (default) Allowed. Notification will be shown at application startup.
- 1 Prevented/not allowed.
<hr/>
<!--Policy-->
<a href="" id="browser-syncfavoritesbetweenieandmicrosoftedge"></a>**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge**

88
windows/configuration/set-up-shared-or-guest-pc.md
View File

@ -85,21 +85,30 @@ You can configure Windows to be in shared PC mode in a couple different ways:
- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps:
1. Go to the [Microsoft Endpoint Manager portal](https://endpoint.microsoft.com/#home).
2. Select **Devices** from the navigation.
3. Under **Policy**, select **Configuration profiles**.
4. Select **Create profile**.
5. From the **Platform** menu, select **Windows 10 and later**.
6. From the **Profile** menu, select **Shared multi-user device**.
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Windows** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
![custom OMA-URI policy in Intune](images/shared_pc_1.jpg)
- **Platform**: Select **Windows 10 and later**.
- **Profile**: Select **Templates** > **Shared multi-user device**.
7. Select **Create**.
8. Enter a name for the policy (e.g. My Win10 Shared devices policy). You can optionally add a description should you wish to do so.
9. Select **Next**.
10. On the **Configuration settings** page, set the Shared PC Mode value to **Enabled**.
4. Select **Create**.
5. In **Basics**, enter the following properties:
![Shared PC settings in ICD](images/shared_pc_3.png)
- **Name**: Enter a descriptive name for the new profile.
- **Description**: Enter a description for the profile. This setting is optional, but recommended.
6. Select **Next**.
7. In **Configuration settings**, depending on the platform you chose, the settings you can configure are different. Choose your platform for detailed settings:
8. On the **Configuration settings** page, set the Shared PC Mode value to **Enabled**.
> [!div class="mx-imgBorder"]
> ![Shared PC mode in the Configuration settings page](images/shared_pc_3.png)
11. From this point on, you can configure any additional settings youd like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**.
@ -108,27 +117,27 @@ You can configure Windows to be in shared PC mode in a couple different ways:
![Shared PC settings in ICD](images/icd-adv-shared-pc.png)
- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
```
$sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
$sharedPC.EnableSharedPCMode = $True
$sharedPC.SetEduPolicies = $True
$sharedPC.SetPowerPolicies = $True
$sharedPC.MaintenanceStartTime = 0
$sharedPC.SignInOnResume = $True
$sharedPC.SleepTimeout = 0
$sharedPC.EnableAccountManager = $True
$sharedPC.AccountModel = 2
$sharedPC.DeletionPolicy = 1
$sharedPC.DiskLevelDeletion = 25
$sharedPC.DiskLevelCaching = 50
$sharedPC.RestrictLocalStorage = $False
$sharedPC.KioskModeAUMID = ""
$sharedPC.KioskModeUserTileDisplayText = ""
$sharedPC.InactiveThreshold = 0
Set-CimInstance -CimInstance $sharedPC
Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC
```
```powershell
$sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
$sharedPC.EnableSharedPCMode = $True
$sharedPC.SetEduPolicies = $True
$sharedPC.SetPowerPolicies = $True
$sharedPC.MaintenanceStartTime = 0
$sharedPC.SignInOnResume = $True
$sharedPC.SleepTimeout = 0
$sharedPC.EnableAccountManager = $True
$sharedPC.AccountModel = 2
$sharedPC.DeletionPolicy = 1
$sharedPC.DiskLevelDeletion = 25
$sharedPC.DiskLevelCaching = 50
$sharedPC.RestrictLocalStorage = $False
$sharedPC.KioskModeAUMID = ""
$sharedPC.KioskModeUserTileDisplayText = ""
$sharedPC.InactiveThreshold = 0
Set-CimInstance -CimInstance $sharedPC
Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC
```
### Create a provisioning package for shared use
@ -205,19 +214,24 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
## Guidance for accounts on shared PCs
* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
* On a Windows PC joined to Azure Active Directory:
* By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
* With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
* Local accounts that already exist on a PC wont be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign-out.
* If admin accounts are necessary on the PC
* Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
* Create admin accounts before setting up shared PC mode, or
* Create exempt accounts before signing out when turning shared pc mode on.
* The account management service supports accounts that are exempt from deletion.
* An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key.
* To add the account SID to the registry key using PowerShell:<br/>
```
* An account can be marked exempt from deletion by adding the account SID to the registry key: `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`.
* To add the account SID to the registry key using PowerShell:
```powershell
$adminName = "LocalAdmin"
$adminPass = 'Pa$$word123'
iex "net user /add $adminName $adminPass"
@ -228,8 +242,6 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
```
## Policies set by shared PC mode
Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.

388
windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
View File

@ -45,8 +45,9 @@ These steps will show you how to configure an Active Directory account with the
On **DC01**:
1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on DC01. This script configures permissions to allow the MDT_JD account to manage computer accounts in the contoso > Computers organizational unit.
2. Create the MDT_JD service account by running the following command from an elevated Windows PowerShell prompt:
1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on **DC01**. This script configures permissions to allow the **MDT_JD** account to manage computer accounts in the contoso > Computers organizational unit.
2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**:
```powershell
New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
@ -60,19 +61,20 @@ On **DC01**:
.\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
```
The following is a list of the permissions being granted:
a. Scope: This object and all descendant objects
b. Create Computer objects
c. Delete Computer objects
d. Scope: Descendant Computer objects
e. Read All Properties
f. Write All Properties
g. Read Permissions
h. Modify Permissions
i. Change Password
j. Reset Password
k. Validated write to DNS host name
l. Validated write to service principal name
The following is a list of the permissions being granted:
- Scope: This object and all descendant objects
- Create Computer objects
- Delete Computer objects
- Scope: Descendant Computer objects
- Read All Properties
- Write All Properties
- Read Permissions
- Modify Permissions
- Change Password
- Reset Password
- Validated write to DNS host name
- Validated write to service principal name
## Step 2: Set up the MDT production deployment share
@ -87,8 +89,11 @@ The steps for creating the deployment share for production are the same as when
1. Ensure you are signed on as: contoso\administrator.
2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**.
4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**.
5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**.
6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
@ -116,9 +121,13 @@ In these steps, we assume that you have completed the steps in the [Create a Win
1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**.
2. Right-click the **Windows 10** folder and select **Import Operating System**.
3. On the **OS Type** page, select **Custom image file** and click **Next**.
4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**.
5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**.
6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**.
7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**.
@ -140,16 +149,22 @@ On **MDT01**:
2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC1902120058_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
4. Right-click the **Applications** node, and create a new folder named **Adobe**.
5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**.
6. On the **Application Type** page, select the **Application with source files** option and click **Next**.
7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and click *Next**.
8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and click **Next**.
9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**.
10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**.
![acroread image](../images/acroread.png)
![acroread image](../images/acroread.png)
The Adobe Reader application added to the Deployment Workbench.
The Adobe Reader application added to the Deployment Workbench.
## Step 5: Prepare the drivers repository
@ -211,16 +226,17 @@ When you import drivers to the MDT driver repository, MDT creates a single insta
The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in Windows PowerShell:
``` powershell
```powershell
Get-WmiObject -Class:Win32_ComputerSystem
```
Or, you can use this command in a normal command prompt:
```
```console
wmic csproduct get name
```
If you want a more standardized naming convention, try the ModelAliasExit.vbs script from the Deployment Guys blog post entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
![drivers](../images/fig4-oob-drivers.png)
@ -244,9 +260,9 @@ On **MDT01**:
2. Folders: Select the WinPE x64 folder in Out-of-Box Drivers.
3. Click **Next**, **Next** and **Finish**.
![figure 5](../images/fig5-selectprofile.png)
![figure 5](../images/fig5-selectprofile.png)
Creating the WinPE x64 selection profile.
Creating the WinPE x64 selection profile.
### Extract and import drivers for the x64 boot image
@ -267,7 +283,8 @@ On **MDT01**:
For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6.
![ThinkStation image](../images/thinkstation.png)
> [!div class="mx-imgBorder"]
> ![ThinkStation image](../images/thinkstation.png)
To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
@ -276,9 +293,12 @@ In this example, we assume you have downloaded and extracted the drivers using T
On **MDT01**:
1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node.
2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers.
2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
**D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers.
### For the Latitude E7450
@ -289,7 +309,10 @@ In these steps, we assume you have downloaded and extracted the CAB file for the
On **MDT01**:
1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc** node.
2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450**
2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
**D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450**
### For the HP EliteBook 8560w
@ -300,7 +323,10 @@ In these steps, we assume you have downloaded and extracted the drivers for the
On **MDT01**:
1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node.
2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w**
2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
**D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w**
### For the Microsoft Surface Laptop
@ -309,7 +335,10 @@ For the Microsoft Surface Laptop model, you find the drivers on the Microsoft we
On **MDT01**:
1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node.
2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop**
2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers:
**D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop**
## Step 6: Create the deployment task sequence
@ -320,40 +349,46 @@ This section will show you how to create the task sequence used to deploy your p
On **MDT01**:
1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**.
2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
1. Task sequence ID: W10-X64-001
2. Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
3. Task sequence comments: Production Image
4. Template: Standard Client Task Sequence
5. Select OS: Windows 10 Enterprise x64 RTM Custom Image
6. Specify Product Key: Do not specify a product key at this time
7. Full Name: Contoso
8. Organization: Contoso
9. Internet Explorer home page: https://www.contoso.com
10. Admin Password: Do not specify an Administrator Password at this time
- Task sequence ID: W10-X64-001
- Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
- Task sequence comments: Production Image
- Template: Standard Client Task Sequence
- Select OS: Windows 10 Enterprise x64 RTM Custom Image
- Specify Product Key: Do not specify a product key at this time
- Full Name: Contoso
- Organization: Contoso
- Internet Explorer home page: https://www.contoso.com
- Admin Password: Do not specify an Administrator Password at this time
### Edit the Windows 10 task sequence
1. Continuing from the previous procedure, right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**.
2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
1. Name: Set DriverGroup001
2. Task Sequence Variable: DriverGroup001
3. Value: Windows 10 x64\\%Make%\\%Model%
2. Configure the **Inject Drivers** action with the following settings:
1. Choose a selection profile: Nothing
2. Install all drivers from the selection profile
>[!NOTE]
>The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.
2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
- Name: Set DriverGroup001
- Task Sequence Variable: DriverGroup001
- Value: Windows 10 x64\\%Make%\\%Model%
2. Configure the **Inject Drivers** action with the following settings:
- Choose a selection profile: Nothing
- Install all drivers from the selection profile
> [!NOTE]
> The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.
3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action.
4. State Restore. Enable the **Windows Update (Post-Application Installation)** action.
3. Click **OK**.
![drivergroup](../images/fig6-taskseq.png)
![drivergroup](../images/fig6-taskseq.png)
The task sequence for production deployment.
The task sequence for production deployment.
## Step 7: Configure the MDT production deployment share
@ -369,95 +404,104 @@ On **MDT01**:
1. Right-click the **MDT Production** deployment share and select **Properties**.
2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment):
```
[Settings]
Priority=Default
[Default]
_SMSTSORGNAME=Contoso
OSInstall=YES
UserDataLocation=AUTO
TimeZoneName=Pacific Standard Time
AdminPassword=pass@word1
JoinDomain=contoso.com
DomainAdmin=CONTOSO\MDT_JD
DomainAdminPassword=pass@word1
MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
SLShare=\\MDT01\Logs$
ScanStateArgs=/ue:*\* /ui:CONTOSO\*
USMTMigFiles001=MigApp.xml
USMTMigFiles002=MigUser.xml
HideShell=YES
ApplyGPOPack=NO
WSUSServer=mdt01.contoso.com:8530
SkipAppsOnUpgrade=NO
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=NO
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=NO
SkipBitLocker=YES
SkipSummary=YES
SkipCapture=YES
SkipFinalSummary=NO
```
```
[Settings]
Priority=Default
[Default]
_SMSTSORGNAME=Contoso
OSInstall=YES
UserDataLocation=AUTO
TimeZoneName=Pacific Standard Time
AdminPassword=pass@word1
JoinDomain=contoso.com
DomainAdmin=CONTOSO\MDT_JD
DomainAdminPassword=pass@word1
MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
SLShare=\\MDT01\Logs$
ScanStateArgs=/ue:*\* /ui:CONTOSO\*
USMTMigFiles001=MigApp.xml
USMTMigFiles002=MigUser.xml
HideShell=YES
ApplyGPOPack=NO
WSUSServer=mdt01.contoso.com:8530
SkipAppsOnUpgrade=NO
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=NO
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=NO
SkipBitLocker=YES
SkipSummary=YES
SkipCapture=YES
SkipFinalSummary=NO
```
3. Click **Edit Bootstrap.ini** and modify using the following information:
```
[Settings]
Priority=Default
```
[Settings]
Priority=Default
[Default]
DeployRoot=\\MDT01\MDTProduction$
UserDomain=CONTOSO
UserID=MDT_BA
UserPassword=pass@word1
SkipBDDWelcome=YES
```
[Default]
DeployRoot=\\MDT01\MDTProduction$
UserDomain=CONTOSO
UserID=MDT_BA
UserPassword=pass@word1
SkipBDDWelcome=YES
```
4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
5. On the **General** sub tab (still under the main Windows PE tab), configure the following settings:
- In the **Lite Touch Boot Image Settings** area:
1. Image description: MDT Production x86
2. ISO file name: MDT Production x86.iso
In the **Lite Touch Boot Image Settings** area:
- Image description: MDT Production x86
- ISO file name: MDT Production x86.iso
> [!NOTE]
>
>Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
> [!NOTE]
>
> Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option.
7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
8. On the **General** sub tab, configure the following settings:
- In the **Lite Touch Boot Image Settings** area:
1. Image description: MDT Production x64
2. ISO file name: MDT Production x64.iso
In the **Lite Touch Boot Image Settings** area:
- Image description: MDT Production x64
- ISO file name: MDT Production x64.iso
9. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
10. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box.
11. Click **OK**.
>[!NOTE]
>It will take a while for the Deployment Workbench to create the monitoring database and web service.
>[!NOTE]
>It will take a while for the Deployment Workbench to create the monitoring database and web service.
![figure 8](../images/mdt-07-fig08.png)
![figure 8](../images/mdt-07-fig08.png)
The Windows PE tab for the x64 boot image.
The Windows PE tab for the x64 boot image.
### The rules explained
The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup.
>
>You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials.
You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials.
### The Bootstrap.ini file
This is the MDT Production Bootstrap.ini:
```
[Settings]
Priority=Default
@ -473,6 +517,7 @@ SkipBDDWelcome=YES
### The CustomSettings.ini file
This is the CustomSettings.ini file with the new join domain information:
```
[Settings]
Priority=Default
@ -529,32 +574,44 @@ If your organization has a Microsoft Software Assurance agreement, you also can
If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following:
>DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop). Note: MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
> [!NOTE]
> DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop).
>
> MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
On **MDT01**:
1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\<lang\>\\x64\\MSDaRT100.msi).
2. Install DaRT 10 (MSDaRT10.msi) using the default settings.
![DaRT image](../images/dart.png)
![DaRT image](../images/dart.png)
2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively.
3. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**.
4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
5. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox.
![DaRT selection](../images/mdt-07-fig09.png)
![DaRT selection](../images/mdt-07-fig09.png)
Selecting the DaRT 10 feature in the deployment share.
Selecting the DaRT 10 feature in the deployment share.
8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
9. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
10. Click **OK**.
### Update the deployment share
Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This is the process during which the Windows PE boot images are created.
1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**.
2. Use the default options for the Update Deployment Share Wizard.
>[!NOTE]
@ -571,12 +628,14 @@ You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparati
On **MDT01**:
1. Open the Windows Deployment Services console, expand the **Servers** node and then expand **MDT01.contoso.com**.
2. Right-click **Boot Images** and select **Add Boot Image**.
3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
![figure 9](../images/mdt-07-fig10.png)
![figure 9](../images/mdt-07-fig10.png)
The boot image added to the WDS console.
The boot image added to the WDS console.
### Deploy the Windows 10 client
@ -585,13 +644,15 @@ At this point, you should have a solution ready for deploying the Windows 10 cl
On **HV01**:
1. Create a virtual machine with the following settings:
1. Name: PC0005
2. Store the virtual machine in a different location: C:\VM
3. Generation: 2
4. Memory: 2048 MB
5. Network: Must be able to connect to \\MDT01\MDTProduction$
6. Hard disk: 60 GB (dynamic disk)
7. Installation Options: Install an operating system from a network-based installation server
- Name: PC0005
- Store the virtual machine in a different location: C:\VM
- Generation: 2
- Memory: 2048 MB
- Network: Must be able to connect to \\MDT01\MDTProduction$
- Hard disk: 60 GB (dynamic disk)
- Installation Options: Install an operating system from a network-based installation server
2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server.
![figure 10](../images/mdt-07-fig11.png)
@ -599,15 +660,18 @@ On **HV01**:
The initial PXE boot process of PC0005.
3. After Windows PE has booted, complete the Windows Deployment Wizard using the following setting:
1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
2. Computer Name: **PC0005**
3. Applications: Select the **Install - Adobe Reader** checkbox.
4. Setup now begins and does the following:
1. Installs the Windows 10 Enterprise operating system.
2. Installs the added application.
3. Updates the operating system via your local Windows Server Update Services (WSUS) server.
![pc0005 image1](../images/pc0005-vm.png)
- Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
- Computer Name: **PC0005**
- Applications: Select the **Install - Adobe Reader** checkbox.
4. Setup now begins and does the following:
- Installs the Windows 10 Enterprise operating system.
- Installs the added application.
- Updates the operating system via your local Windows Server Update Services (WSUS) server.
![pc0005 image1](../images/pc0005-vm.png)
### Application installation
@ -622,12 +686,14 @@ Since you have enabled the monitoring on the MDT Production deployment share, yo
On **MDT01**:
1. In the Deployment Workbench, expand the **MDT Production** deployment share folder.
2. Select the **Monitoring** node, and wait until you see PC0005.
3. Double-click PC0005, and review the information.
![figure 11](../images/mdt-07-fig13.png)
![figure 11](../images/mdt-07-fig13.png)
The Monitoring node, showing the deployment progress of PC0005.
The Monitoring node, showing the deployment progress of PC0005.
### Use information in the Event Viewer
@ -657,9 +723,9 @@ On **MDT01**:
3. Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**.
4. After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created.
![figure 13](../images/mdt-07-fig15.png)
![figure 13](../images/mdt-07-fig15.png)
The newly created multicast namespace.
The newly created multicast namespace.
## Use offline media to deploy Windows 10
@ -674,15 +740,18 @@ To filter what is being added to the media, you create a selection profile. When
On **MDT01**:
1. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**.
2. Use the following settings for the New Selection Profile Wizard:
1. General Settings
- Selection profile name: Windows 10 Offline Media
2. Folders
1. Applications / Adobe
2. Operating Systems / Windows 10
3. Out-Of-Box Drivers / WinPE x64
4. Out-Of-Box Drivers / Windows 10 x64
5. Task Sequences / Windows 10
- General Settings
- Selection profile name: Windows 10 Offline Media
- Folders
- Applications / Adobe
- Operating Systems / Windows 10
- Out-Of-Box Drivers / WinPE x64
- Out-Of-Box Drivers / Windows 10 x64
- Task Sequences / Windows 10
![offline media](../images/mdt-offline-media.png)
@ -696,10 +765,11 @@ In these steps, you generate offline media from the MDT Production deployment sh
>When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media.
2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**.
3. Use the following settings for the New Media Wizard:
- General Settings
1. Media path: **D:\\MDTOfflineMedia**
2. Selection profile: **Windows 10 Offline Media**
- Media path: **D:\\MDTOfflineMedia**
- Selection profile: **Windows 10 Offline Media**
### Configure the offline media
@ -708,16 +778,22 @@ Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini fi
On **MDT01**:
1. Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files.
2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**.
3. In the **General** tab, configure the following:
1. Clear the Generate x86 boot image check box.
2. ISO file name: Windows 10 Offline Media.iso
- Clear the Generate x86 boot image check box.
- ISO file name: Windows 10 Offline Media.iso
4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
5. On the **General** sub tab, configure the following settings:
1. In the **Lite Touch Boot Image Settings** area:
- Image description: MDT Production x64
2. In the **Windows PE Customizations** area, set the Scratch space size to 128.
- In the **Lite Touch Boot Image Settings** area:
- Image description: MDT Production x64
- In the **Windows PE Customizations** area, set the Scratch space size to 128.
6. On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
7. Click **OK**.
### Generate the offline media
@ -727,6 +803,7 @@ You have now configured the offline media deployment share, however the share ha
On **MDT01**:
1. In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node.
2. Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes.
### Create a bootable USB stick
@ -734,15 +811,20 @@ On **MDT01**:
The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it is often more efficient to use USB sticks instead since they are faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.)
>[!TIP]
>In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM: <br>&nbsp;<br>Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800. <br>&nbsp;<br>Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm. <br>&nbsp;<br>To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\<SkipWimSplit\>True\</SkipWimSplit\>), so this must be changed and the offline media content updated.
>In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM: <br>&nbsp;<br>Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800. <br>&nbsp;<br>Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm. <br>&nbsp;<br>To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`<SkipWimSplit>True</SkipWimSplit>`), so this must be changed and the offline media content updated.
Follow these steps to create a bootable USB stick from the offline media content:
1. On a physical machine running Windows 7 or later, insert the USB stick you want to use.
2. Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick.
3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**.
4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you really only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F.
5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter).
6. In the Diskpart utility, type **active**, and then type **exit**.
## Unified Extensible Firmware Interface (UEFI)-based deployments

1
windows/deployment/planning/windows-10-removed-features.md
View File

@ -28,6 +28,7 @@ The following features and functionalities have been removed from the installed
|Feature | Details and mitigation | Removed in version |
| ----------- | --------------------- | ------ |
|Microsoft Edge|The legacy version of Microsoft Edge is no longer supported after March 9th, 2021. For more information, see [End of support reminder for Microsoft Edge Legacy](https://docs.microsoft.com/lifecycle/announcements/edge-legacy-eos-details). | 21H1 |
|MBAE service metadata|The MBAE app experience is replaced by an MO UWP app. Metadata for the MBAE service is removed. | 20H2 |
| Connect app | The **Connect** app for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, click on **Settings** > **Apps** > **Optional features** > **Add a feature** and then install the **Wireless Display** app. | 2004 |
| Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) ended on August 13th, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 2004 |

3
windows/deployment/update/media-dynamic-update.md
View File

@ -81,6 +81,9 @@ This table shows the correct sequence for applying the various tasks to the file
|Add .NET and .NET cumulative updates | | | 24 |
|Export image | 8 | 17 | 25 |
> [!NOTE]
> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates).
### Multiple Windows editions
The main operating system file (install.wim) contains multiple editions of Windows 10. Its possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.

7
windows/deployment/update/servicing-stack-updates.md
View File

@ -29,8 +29,6 @@ Servicing stack updates provide fixes to the servicing stack, the component that
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
For information about some changes to servicing stack updates, see [Simplifing Deployment of Servicing Stack Updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-deployment-of-servicing-stack-updates/ba-p/1646039) on the Windows IT Pro blog.
## When are they released?
Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical."
@ -44,7 +42,6 @@ Both Windows 10 and Windows Server use the cumulative update mechanism, in which
Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update.
## Is there any special guidance?
Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
@ -58,3 +55,7 @@ Typically, the improvements are reliability and performance improvements that do
* Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).
* Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine.
## Simplifying on-premises deployment of servicing stack updates
With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you will only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update will be available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.

11
windows/deployment/update/windows-as-a-service.md
View File

@ -6,6 +6,7 @@ ms.manager: laurawi
audience: itpro
itproauthor: jaimeo
author: jaimeo
ms.author: jaimeo
description: Discover the latest news articles, videos, and podcasts about Windows as a service. Find resources for using Windows as a service within your organization.
ms.audience: itpro
ms.reviewer:
@ -46,7 +47,7 @@ The latest news:
## IT pro champs corner
Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing.
<img src="images/champs-2.png" alt="" width="640" height="320">
<img src="images/champs-2.png" alt="Champs" width="640" height="320">
<a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979">**NEW** Tactical considerations for creating Windows deployment rings</a>
@ -67,7 +68,7 @@ Written by IT pros for IT pros, sharing real world examples and scenarios for Wi
Learn more about Windows as a service and its value to your organization.
<img src="images/discover-land.png">
<img src="images/discover-land.png" alt="Discover">
<a href="waas-overview.md">Overview of Windows as a service</a>
@ -82,7 +83,7 @@ Learn more about Windows as a service and its value to your organization.
Prepare to implement Windows as a service effectively using the right tools, products, and strategies.
<img src="images/plan-land.png" alt="" />
<img src="images/plan-land.png" alt="Plan" />
<a href="https://www.microsoft.com/windowsforbusiness/simplified-updates">Simplified updates</a>
@ -98,7 +99,7 @@ Prepare to implement Windows as a service effectively using the right tools, pro
Secure your organization's deployment investment.
<img src="images/deploy-land.png" alt="" />
<img src="images/deploy-land.png" alt="Deploy" />
<a href="index.md">Update Windows 10 in the enterprise</a>
@ -112,6 +113,6 @@ Secure your organization's deployment investment.
## Microsoft Ignite 2018
<img src="images/ignite-land.jpg" alt="" width="640" height="320"/>
<img src="images/ignite-land.jpg" alt="Ignite" width="640" height="320"/>
Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. See [MyIgnite - Session catalog](https://myignite.techcommunity.microsoft.com/sessions).

11
windows/deployment/update/windows-update-resources.md
View File

@ -6,7 +6,6 @@ ms.mktglfcycl:
audience: itpro
ms.localizationpriority: medium
ms.audience: itpro
ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
ms.topic: article
@ -16,7 +15,15 @@ author: jaimeo
# Windows Update - additional resources
> Applies to: Windows 10
**Applies to**:
- Windows 10
- Windows Server 2016
- Windows Server 2019
> [!NOTE]
> Windows Server 2016 supports policies available in Windows 10, version 1607. Windows Server 2019 supports policies available in Windows 10, version 1809.
The following resources provide additional information about using Windows Update.

53
windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
View File

@ -29,6 +29,9 @@ ms.topic: article
>- Windows Server 2012
>- Windows Server 2016
>- Windows Server 2019
>- Office 2013*
>- Office 2016*
>- Office 2019*
**Looking for retail activation?**
@ -46,10 +49,13 @@ The process proceeds as follows:
1. Perform one of the following tasks:
- Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard.
- Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT.
1. Microsoft verifies the KMS host key, and an activation object is created.
1. Client computers are activated by receiving the activation object from a domain controller during startup.
![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg)
2. Microsoft verifies the KMS host key, and an activation object is created.
3. Client computers are activated by receiving the activation object from a domain controller during startup.
> [!div class="mx-imgBorder"]
> ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg)
**Figure 10**. The Active Directory-based activation flow
@ -69,52 +75,67 @@ When a reactivation event occurs, the client queries AD DS for the activation o
**To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:**
1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
1. Launch Server Manager.
1. Add the Volume Activation Services role, as shown in Figure 11.
2. Launch Server Manager.
3. Add the Volume Activation Services role, as shown in Figure 11.
![Adding the Volume Activation Services role](../images/volumeactivationforwindows81-11.jpg)
**Figure 11**. Adding the Volume Activation Services role
1. Click the link to launch the Volume Activation Tools (Figure 12).
4. Click the link to launch the Volume Activation Tools (Figure 12).
![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-12.jpg)
**Figure 12**. Launching the Volume Activation Tools
1. Select the **Active Directory-Based Activation** option (Figure 13).
5. Select the **Active Directory-Based Activation** option (Figure 13).
![Selecting Active Directory-Based Activation](../images/volumeactivationforwindows81-13.jpg)
**Figure 13**. Selecting Active Directory-Based Activation
1. Enter your KMS host key and (optionally) a display name (Figure 14).
6. Enter your KMS host key and (optionally) a display name (Figure 14).
![Choosing how to activate your product](../images/volumeactivationforwindows81-15.jpg)
**Figure 14**. Entering your KMS host key
1. Activate your KMS host key by phone or online (Figure 15).
7. Activate your KMS host key by phone or online (Figure 15).
![Entering your KMS host key](../images/volumeactivationforwindows81-14.jpg)
**Figure 15**. Choosing how to activate your product
1. After activating the key, click **Commit**, and then click **Close**.
> [!NOTE]
> To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed.
>
>
> - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
>
> - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
>
> - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
8. After activating the key, click **Commit**, and then click **Close**.
## Verifying the configuration of Active Directory-based activation
To verify your Active Directory-based activation configuration, complete the following steps:
1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
1. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
1. If the computer is not joined to your domain, join it to the domain.
1. Sign in to the computer.
1. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
1. Scroll down to the **Windows activation** section, and verify that this client has been activated.
2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
3. If the computer is not joined to your domain, join it to the domain.
4. Sign in to the computer.
5. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
6. Scroll down to the **Windows activation** section, and verify that this client has been activated.
> [!NOTE]
> If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
>
> To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-management-tool).
## See also

86
windows/deployment/windows-10-subscription-activation.md
View File

@ -21,7 +21,7 @@ ms.topic: article
Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to **Windows 10 Enterprise** automatically if they are subscribed to Windows 10 Enterprise E3 or E5.
With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions **Windows 10 Education**.
With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions—**Windows 10 Education**.
The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices.
@ -68,12 +68,19 @@ The following figure illustrates how deploying Windows 10 has evolved with each
![Illustration of how Windows 10 deployment has evolved](images/sa-evolution.png)
- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.<br>
- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after).  This was a lot easier than wipe-and-load, but it was still time-consuming.<br>
- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU.  This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.<br>
- **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise.  In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.<br>
- **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.<br>
- **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.<br>
- **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.<br>
- **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription.
## Requirements
@ -105,21 +112,29 @@ To resolve this issue:
If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal.
If the device is running Windows 10, version 1809 or later:
1. Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
2. When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
![Subscription Activation with MFA example 1](images/sa-mfa1.png)<br>
![Subscription Activation with MFA example 2](images/sa-mfa2.png)<br>
![Subscription Activation with MFA example 3](images/sa-mfa3.png)
- Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
- When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
![Subscription Activation with MFA example 1](images/sa-mfa1.png)<br>
![Subscription Activation with MFA example 2](images/sa-mfa2.png)<br>
![Subscription Activation with MFA example 3](images/sa-mfa3.png)
### Windows 10 Education requirements
1. Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
2. A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security > Activation.
3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
- Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
> If Windows 10 Pro is converted to Windows 10 Pro Education [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
- A device with a Windows 10 Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**.
- The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
> [!IMPORTANT]
> If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
## Benefits
@ -131,15 +146,19 @@ With Windows 10 Enterprise or Windows 10 Education, businesses and institutions
You can benefit by moving to Windows as an online service in the following ways:
1. Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
2. User logon triggers a silent edition upgrade, with no reboot required
3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys.
4. Compliance support via seat assignment.
5. Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs.
- Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
- User logon triggers a silent edition upgrade, with no reboot required.
- Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys.
- Compliance support via seat assignment.
- Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs.
## How it works
The device is AAD joined from Settings > Accounts > Access work or school.
The device is AAD joined from **Settings > Accounts > Access work or school**.
The IT administrator assigns Windows 10 Enterprise to a user. See the following figure.
@ -157,26 +176,35 @@ Before Windows 10, version 1903:<br>
After Windows 10, version 1903:<br>
![1903](images/after.png)
Note:
1. A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
2. A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
> [!NOTE]
>
> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
>
> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
### Scenarios
**Scenario #1**:  You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but havent yet deployed Windows 10 Enterprise).
#### Scenario #1
You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but havent yet deployed Windows 10 Enterprise).
All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device.
**Scenario #2**:  You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but havent yet deployed Windows 10 Enterprise).
#### Scenario #2
You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but havent yet deployed Windows 10 Enterprise).
To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer:
<pre style="overflow-y: visible">
```console
cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43</pre>
```
The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  This key comes from [Appendix A: KMS Client Setup Keys](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro.
**Scenario #3**:  Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
#### Scenario #3
Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, its really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above.
@ -204,7 +232,7 @@ If you are using Windows 10, version 1607, 1703, or 1709 and have already deploy
If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:
<pre style="overflow-y: visible">
```console
@echo off
FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO (
SET "ProductKey=%%A"
@ -218,18 +246,24 @@ echo No key present
echo Installing %ProductKey%
changepk.exe /ProductKey %ProductKey%
)
</pre>
```
### Obtaining an Azure AD license
Enterprise Agreement/Software Assurance (EA/SA):
- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea).
- The license administrator can assign seats to Azure AD users with the same process that is used for O365.
- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
Microsoft Products & Services Agreements (MPSA):
- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions.
- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service.
- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method.
### Deploying licenses

2
windows/security/identity-protection/access-control/security-identifiers.md
View File

@ -52,7 +52,7 @@ SIDs always remain unique. Security authorities never issue the same SID twice,
A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
![](images/security-identifider-architecture.jpg)
![Security identifier architecture](images/security-identifider-architecture.jpg)
The individual values of a SID are described in the following table.

2
windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
View File

@ -29,7 +29,7 @@ When you set up Windows Hello in Windows 10, you may get an error during the **
The following image shows an example of an error during **Create a PIN**.
![](images/pinerror.png)
![PIN error](images/pinerror.png)
## Error mitigations

32
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -44,42 +44,58 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
### Connect Azure Active Directory with the PIN reset service
1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png)
![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png)
3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png)
> [!NOTE]
> After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
![PIN reset service permissions page](images/pinreset/pin-reset-applications.png)
> [!div class="mx-imgBorder"]
> ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png)
### Configure Windows devices to use PIN reset using Group Policy
You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
2. Edit the Group Policy object from Step 1.
3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
#### Create a PIN Reset Device configuration profile using Microsoft Intune
1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account.
2. Click **Endpoint Security** > **Account Protection** > **Properties**.
3. Set **Enable PIN recovery** to **Yes**.
> [!NOTE]
> You can also setup PIN recovery using configuration profiles.
> 1. Sign in to Endpoint Manager.
>
> 2. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type.
>
> 3. Set **Enable PIN recovery** to **Yes**.
#### Assign the PIN Reset Device configuration profile using Microsoft Intune
1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account.
1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account.
2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration.
3. In the device configuration profile, select **Assignments**.
4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
## On-premises Deployments
@ -104,15 +120,15 @@ On-premises deployments provide users with the ability to reset forgotten PINs e
#### Reset PIN above the Lock Screen
1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
2. Enter your password and press enter.
3. Follow the instructions provided by the provisioning process
4. When finished, unlock your desktop using your newly created PIN.
1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
2. Enter your password and press enter.
3. Follow the instructions provided by the provisioning process
4. When finished, unlock your desktop using your newly created PIN.
You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
> [!NOTE]
> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video.
> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience).
## Related topics

3
windows/security/threat-protection/TOC.md
View File

@ -429,7 +429,8 @@
##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md)
##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md)
##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md)
##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md)
##### [DeviceTvmSoftwareInventory](microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventory-table.md)
##### [DeviceTvmSoftwareVulnerabilities](microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilities-table.md)
##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)
##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md)
##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)

4
windows/security/threat-protection/mbsa-removal-and-guidance.md
View File

@ -25,14 +25,14 @@ MBSA was largely used in situations where neither Microsoft Update nor a local W
A script can help you with an alternative to MBSAs patch-compliance checking:
- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script.
For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be).
For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0).
For example:
[![VBS script](images/vbs-example.png)](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
[![PowerShell script](images/powershell-example.png)](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be)
The preceding scripts leverage the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers.
## More Information

16
windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
View File

@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: pahuijbr
manager: dansimp
ms.date: 02/12/2021
ms.date: 03/05/2021
ms.technology: mde
---
@ -408,6 +408,20 @@ We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind
For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
<details>
<summary>1.1.2103.01</summary>
&ensp;Package version: **1.1.2103.01**
&ensp;Platform version: **4.18.2101.9**
&ensp;Engine version: **1.17800.5**
&ensp;Signature version: **1.331.2302.0**
### Fixes
- None
### Additional information
- None
<br/>
</details><details>
<summary>1.1.2102.03</summary>
&ensp;Package version: **1.1.2102.03**

28
windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
View File

@ -14,7 +14,7 @@ audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 02/17/2021
ms.date: 03/08/2021
ms.technology: mde
---
@ -64,7 +64,7 @@ Tamper protection doesn't prevent you from viewing your security settings. And,
| Turn tamper protection on (or off) for an individual device | [Manage tamper protection on an individual device](#manage-tamper-protection-on-an-individual-device) |
| Turn tamper protection on (or off) for all or part of your organization using Intune <p>Fine-tune tamper protection settings in your organization | [Manage tamper protection for your organization using Intune](#manage-tamper-protection-for-your-organization-using-intune) |
| Turn tamper protection on (or off) for your organization with Configuration Manager | [Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006) |
| Turn tamper protection on (or off) in the Microsoft Defender Security Center <p>Manage tamper protection across your tenant <p>(Currently in preview) | [Manage tamper protection for your organization using the Microsoft Defender Security Center](#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center) |
| Turn tamper protection on (or off) in the Microsoft Defender Security Center <p>Manage tamper protection across your tenant | [Manage tamper protection for your organization using the Microsoft Defender Security Center](#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center) |
| View details about tampering attempts on devices | [View information about tampering attempts](#view-information-about-tampering-attempts) |
| Review your security recommendations | [Review security recommendations](#review-your-security-recommendations) |
| Review the list of frequently asked questions (FAQs) | [Browse the FAQs](#view-information-about-tampering-attempts) |
@ -85,7 +85,9 @@ Here's what you see in the Windows Security app:
![Tamper protection turned on in Windows 10 Home](images/tamperprotectionturnedon.png)
1. Select **Start**, and start typing *Security*. In the search results, select **Windows Security**.
2. Select **Virus & threat protection** > **Virus & threat protection settings**.
3. Set **Tamper Protection** to **On** or **Off**.
## Manage tamper protection for your organization using Intune
@ -95,9 +97,13 @@ If you are part of your organization's security team, and your subscription incl
### Requirements for managing tamper protection in Intune
- You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations.
- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.)
- Your Windows devices must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information).)
- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
- Your devices must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
### Turn tamper protection on (or off) in Intune
@ -105,12 +111,15 @@ If you are part of your organization's security team, and your subscription incl
![Turn tamper protection on with Intune](images/turnontamperprotect-MEM.png)
1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) and sign in with your work or school account.
2. Select **Devices** > **Configuration Profiles**.
3. Create a profile that includes the following settings:
- **Platform: Windows 10 and later**
- **Profile type: Endpoint protection**
- **Category: Microsoft Defender Security Center**
- **Tamper Protection: Enabled**
4. Assign the profile to one or more groups.
### Are you using Windows OS 1709, 1803, or 1809?
@ -120,7 +129,9 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release
#### Use PowerShell to determine whether tamper protection is turned on
1. Open the Windows PowerShell app.
2. Use the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) PowerShell cmdlet.
3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.)
## Manage tamper protection for your organization with Configuration Manager, version 2006
@ -133,9 +144,11 @@ If you're using [version 2006 of Configuration Manager](https://docs.microsoft.c
![Windows security experience in Endpoint Manager](images/win-security- exp-policy-endpt-security.png)
1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions).
2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and choose **+ Create Policy**.<br/>
- In the **Platform** list, select **Windows 10 and Windows Server (ConfigMgr)**.
- In the **Profile** list, select **Windows Security experience (preview)**. <br/>
3. Deploy the policy to your device collection.
### Need help with this?
@ -147,24 +160,29 @@ See the following resources:
## Manage tamper protection for your organization using the Microsoft Defender Security Center
Currently in preview, tamper protection can be turned on or off in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). Here are a few points to keep in mind:
Tamper protection can be turned on or off for your tenant using the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). Here are a few points to keep in mind:
- When you use the Microsoft Defender Security Center to manage tamper protection, you do not have to use Intune or the tenant attach method.
- When you manage tamper protection in the Microsoft Defender Security Center, the setting is applied tenant wide, affecting all of your devices that are running Windows 10, Windows Server 2016, or Windows Server 2019. To fine-tune tamper protection (such as having tamper protection on for some devices but off for others), use either [Intune](#manage-tamper-protection-for-your-organization-using-intune) or [Configuration Manager with tenant attach](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006).
- If you have a hybrid environment, tamper protection settings configured in Intune take precedence over settings configured in the Microsoft Defender Security Center.
- Tamper protection is generally available; however, the ability to manage tamper protection in the Microsoft Defender Security Center is currently in preview.
### Requirements for managing tamper protection in the Microsoft Defender Security Center
- You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations.
- Your Windows devices must be running one of the following versions of Windows:
- Windows 10
- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
- Windows Server, version [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later
- [Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016)
- For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information).
- Your devices must be [onboarded to Microsoft Defender for Endpoint](../microsoft-defender-atp/onboarding.md).
- Your devices must be using anti-malware platform version 4.18.2010.7 (or above) and anti-malware engine version 1.1.17600.5 (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
- [Cloud-delivered protection must be turned on](enable-cloud-protection-microsoft-defender-antivirus.md).
### Turn tamper protection on (or off) in the Microsoft Defender Security Center
@ -172,7 +190,9 @@ Currently in preview, tamper protection can be turned on or off in the Microsoft
![Turn tamper protection on in the Microsoft Defender Security Center](images/mde-turn-tamperprotect-on.png)
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. Choose **Settings**.
3. Go to **General** > **Advanced features**, and then turn tamper protection on.
## View information about tampering attempts

8
windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
View File

@ -1,6 +1,6 @@
---
title: Add or Remove Machine Tags API
description: Learn how to use the Add or Remove machine tags API to adds or remove a tag for a machine in Microsoft Defender Advanced Threat Protection.
description: Learn how to use the Add or Remove machine tags API to adds or remove a tag for a machine in Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, tags, machine tags
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
@ -20,8 +20,8 @@ ms.technology: mde
# Add or Remove Machine Tags API
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@ -90,7 +90,7 @@ If successful, this method returns 200 - Ok response code and the updated Machin
Here is an example of a request that adds machine tag.
```
```http
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
```

8
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md
View File

@ -1,7 +1,7 @@
---
title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender Advanced Threat Protection
title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender for Endpoint
description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender for Endpoint, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security
@ -26,8 +26,8 @@ ms.technology: mde
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Use the `AssignedIPAddresses()` function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time.

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
View File

@ -23,8 +23,8 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
View File

@ -24,8 +24,8 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
View File

@ -23,8 +23,8 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

3
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
View File

@ -24,8 +24,7 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

3
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
View File

@ -23,8 +23,7 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

3
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
View File

@ -23,8 +23,7 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

3
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
View File

@ -23,8 +23,7 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

3
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
View File

@ -23,8 +23,7 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

3
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
View File

@ -23,8 +23,7 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
View File

@ -23,9 +23,7 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

3
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
View File

@ -23,8 +23,7 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
View File

@ -23,8 +23,8 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

5
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
View File

@ -23,8 +23,9 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
View File

@ -23,8 +23,8 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

23
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md → windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventory-table.md
View File

@ -1,6 +1,6 @@
---
title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema
description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema.
title: DeviceTvmSoftwareInventory table in the advanced hunting schema
description: Learn about the inventory of software in your devices in the DeviceTvmSoftwareInventory table of the advanced hunting schema.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -8,8 +8,8 @@ ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.author: maccruz
author: schmurky
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@ -18,19 +18,21 @@ ms.topic: article
ms.technology: mde
---
# DeviceTvmSoftwareInventoryVulnerabilities
# DeviceTvmSoftwareInventory
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table.
The `DeviceTvmSoftwareInventory` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software currently installed on devices in your network, including end of support information. You can, for instance, hunt for events involving devices that are installed with a currently vulnerable software version. Use this reference to construct queries that return information from the table.
>[!NOTE]
>The `DeviceTvmSoftwareInventory` and `DeviceTvmSoftwareVulnerabilities` tables have replaced the `DeviceTvmSoftwareInventoryVulnerabilities` table. Together, the first two tables include more columns you can use to help inform your vulnerability management activities.
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
@ -44,8 +46,8 @@ For information on other tables in the advanced hunting schema, see [the advance
| `SoftwareVendor` | string | Name of the software vendor |
| `SoftwareName` | string | Name of the software product |
| `SoftwareVersion` | string | Version number of the software product |
| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
| `EndOfSupportStatus` | string | Indicates the lifecycle stage of the software product relative to its specified end-of-support (EOS) or end-of-life (EOL) date |
| `EndOfSupportDate` | string | End-of-support (EOS) or end-of-life (EOL) date of the software product |
@ -55,3 +57,4 @@ For information on other tables in the advanced hunting schema, see [the advance
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)

62
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilities-table.md Normal file
View File

@ -0,0 +1,62 @@
---
title: DeviceTvmSoftwareVulnerabilities table in the advanced hunting schema
description: Learn about software vulnerabilities found on devices and the list of available security updates that address each vulnerability in the DeviceTvmSoftwareVulnerabilities table of the advanced hunting schema.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: maccruz
author: schmurky
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.technology: mde
---
# DeviceTvmSoftwareVulnerabilities
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
The `DeviceTvmSoftwareVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) list of vulnerabilities in installed software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. You can use this table, for example, to hunt for events involving devices that have severe vulnerabilities in their software. Use this reference to construct queries that return information from the table.
>[!NOTE]
>The `DeviceTvmSoftwareInventory` and `DeviceTvmSoftwareVulnerabilities` tables have replaced the `DeviceTvmSoftwareInventoryVulnerabilities` table. Together, the first two tables include more columns you can use to help inform your vulnerability management activities.
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `DeviceId` | string | Unique identifier for the device in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
| `OSVersion` | string | Version of the operating system running on the device |
| `OSArchitecture` | string | Architecture of the operating system running on the device |
| `SoftwareVendor` | string | Name of the software vendor |
| `SoftwareName` | string | Name of the software product |
| `SoftwareVersion` | string | Version number of the software product |
| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
| `RecommendedSecurityUpdate` | string | Name or description of the security update provided by the software vendor to address the vulnerability |
| `RecommendedSecurityUpdateId` | string | Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)

3
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
View File

@ -23,8 +23,7 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md
View File

@ -23,8 +23,8 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)

5
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md
View File

@ -1,7 +1,7 @@
---
title: Extend advanced hunting coverage with the right settings
description: Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting
keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection
keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, mdatp, Microsoft Defender ATP, Microsoft Defender for Endpoint, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security
@ -24,8 +24,7 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
[Advanced hunting](advanced-hunting-overview.md) relies on data coming from across your organization. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md
View File

@ -1,7 +1,7 @@
---
title: FileProfile() function in advanced hunting for Microsoft Defender Advanced Threat Protection
title: FileProfile() function in advanced hunting for Microsoft Defender for Endpoint
description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender for Endpoint, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security

3
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
View File

@ -64,7 +64,8 @@ Table and column names are also listed within the Microsoft Defender Security Ce
| **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events |
| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection |
| **[DeviceFileCertificateInfo](advanced-hunting-devicefilecertificateinfo-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints |
| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products |
| **[DeviceTvmSoftwareInventory](advanced-hunting-devicetvmsoftwareinventory-table.md)** | Inventory of software installed on devices, including their version information and end-of-support status |
| **[DeviceTvmSoftwareVulnerabilities](advanced-hunting-devicetvmsoftwarevulnerabilities-table.md)** | Software vulnerabilities found on devices and the list of available security updates that address each vulnerability |
| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |
| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |

3
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
View File

@ -23,8 +23,7 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md
View File

@ -22,8 +22,8 @@ ms.technology: mde
# Take action on advanced hunting query results
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

7
windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
View File

@ -25,8 +25,7 @@ ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@ -38,8 +37,8 @@ Topic | Description
[View and organize the Alerts queue](alerts-queue.md) | Shows a list of alerts that were flagged in your network.
[Manage alerts](manage-alerts.md) | Learn about how you can manage alerts such as change its status, assign it to a security operations member, and see the history of an alert.
[Investigate alerts](investigate-alerts.md)| Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
[Investigate files](investigate-files.md)| Investigate the details of a file associated with a specific alert, behaviour, or event.
[Investigate devices](investigate-machines.md)| Investigate the details of a device associated with a specific alert, behaviour, or event.
[Investigate files](investigate-files.md)| Investigate the details of a file associated with a specific alert, behavior, or event.
[Investigate devices](investigate-machines.md)| Investigate the details of a device associated with a specific alert, behavior, or event.
[Investigate an IP address](investigate-ip.md) | Examine possible communication between devices in your network and external internet protocol (IP) addresses.
[Investigate a domain](investigate-domain.md) | Investigate a domain to see if devices and servers in your network have been communicating with a known malicious domain.
[Investigate a user account](investigate-user.md) | Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.

2
windows/security/threat-protection/microsoft-defender-atp/alerts.md
View File

@ -1,6 +1,6 @@
---
title: Get alerts API
description: Learn about the methods and properties of the Alert resource type in Microsoft Defender Advanced Threat Protection.
description: Learn about the methods and properties of the Alert resource type in Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get, alerts, recent
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security

4
windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
View File

@ -1,7 +1,7 @@
---
title: Hello World for Microsoft Defender Advanced Threat Protection API
title: Hello World for Microsoft Defender for Endpoint API
ms.reviewer:
description: Create a practice 'Hello world'-style API call to the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) API.
description: Create a practice 'Hello world'-style API call to the Microsoft Defender for Endpoint (Microsoft Defender ATP) API.
keywords: apis, supported apis, advanced hunting, query
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security

2
windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Defender ATP APIs connection to Power BI
ms.reviewer:
description: Create a Power Business Intelligence (BI) report on top of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) APIs.
description: Create a Power Business Intelligence (BI) report on top of Microsoft Defender for Endpoint APIs.
keywords: apis, supported apis, Power BI, reports
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security

14
windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
View File

@ -26,6 +26,20 @@ ms.technology: mde
The following information lists the updates made to the Microsoft Defender for Endpoint APIs and the dates they were made.
> [!TIP]
> RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:
>```
>https://docs.microsoft.com/api/search/rss?search=%22Release+notes+for+updates+made+to+the+Microsoft+Defender+for+Endpoint+set+of+APIs%22&locale=en-us&facet=&%24filter=scopes%2Fany%28t%3A+t+eq+%27Windows+10%27%29
>```
### 10.02.2021
<hr>
- Added new API: [Batch update alerts](batch-update-alerts.md).
<br>
### 25.01.2021
<hr>

2
windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
View File

@ -1,5 +1,5 @@
---
title: Access the Microsoft Defender Advanced Threat Protection APIs
title: Access the Microsoft Defender for Endpoint APIs
ms.reviewer:
description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender ATP capabilities
keywords: apis, api, wdatp, open api, microsoft defender atp api, public api, supported apis, alerts, device, user, domain, ip, file, advanced hunting, query

2
windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
View File

@ -1,6 +1,6 @@
---
title: Assign user access to Microsoft Defender Security Center
description: Assign read and write or read only access to the Microsoft Defender Advanced Threat Protection portal.
description: Assign read and write or read only access to the Microsoft Defender for Endpoint portal.
keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
search.product: eADQiWindows 10XVcnh
search.appverid: met150

2
windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
View File

@ -1,7 +1,7 @@
---
title: Experience Microsoft Defender ATP through simulated attacks
description: Run the provided attack scenario simulations to experience how Microsoft Defender ATP can detect, investigate, and respond to breaches.
keywords: wdatp, test, scenario, attack, simulation, simulated, diy, microsoft defender advanced threat protection
keywords: wdatp, test, scenario, attack, simulation, simulated, diy, Microsoft Defender for Endpoint
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security

2
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
View File

@ -1,7 +1,7 @@
---
title: Attack surface reduction frequently asked questions (FAQ)
description: Find answers to frequently asked questions about Microsoft Defender ATP's attack surface reduction rules.
keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP
keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, microsoft defender for endpoint
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: m365-security

2
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
View File

@ -1,7 +1,7 @@
---
title: Use attack surface reduction rules to prevent malware infection
description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.
keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP
keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender for Endpoint, Microsoft Defender ATP
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
ms.mktglfcycl: manage

2
windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
View File

@ -1,6 +1,6 @@
---
title: Use basic permissions to access Microsoft Defender Security Center
description: Learn how to use basic permissions to access the Microsoft Defender Advanced Threat Protection portal.
description: Learn how to use basic permissions to access the Microsoft Defender for Endpoint portal.
keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
search.product: eADQiWindows 10XVcnh
search.appverid: met150

4
windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
View File

@ -1,6 +1,6 @@
---
title: Configure alert notifications in Microsoft Defender ATP
description: You can use Microsoft Defender Advanced Threat Protection to configure email notification settings for security alerts, based on severity and other criteria.
title: Configure alert notifications in Microsoft Defender for Endpoint
description: You can use Microsoft Defender for Endpoint to configure email notification settings for security alerts, based on severity and other criteria.
keywords: email notifications, configure alert notifications, microsoft defender atp notifications, microsoft defender atp alerts, windows 10 enterprise, windows 10 education
search.product: eADQiWindows 10XVcnh
search.appverid: met150

2
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
View File

@ -1,7 +1,7 @@
---
title: Onboard Windows 10 devices to Microsoft Defender ATP via Group Policy
description: Use Group Policy to deploy the configuration package on Windows 10 devices so that they are onboarded to the service.
keywords: configure devices using group policy, device management, configure Windows ATP devices, onboard Microsoft Defender Advanced Threat Protection devices, group policy
keywords: configure devices using group policy, device management, configure Windows ATP devices, onboard Microsoft Defender for Endpoint devices, group policy
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security

2
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
View File

@ -1,7 +1,7 @@
---
title: Onboard Windows 10 devices using Mobile Device Management tools
description: Use Mobile Device Management tools to deploy the configuration package on devices so that they are onboarded to the service.
keywords: onboard devices using mdm, device management, onboard Windows ATP devices, onboard Microsoft Defender Advanced Threat Protection devices, mdm
keywords: onboard devices using mdm, device management, onboard Windows ATP devices, onboard Microsoft Defender for Endpoint devices, mdm
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security

11
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
View File

@ -1,7 +1,7 @@
---
title: Onboard non-Windows devices to the Microsoft Defender ATP service
title: Onboard non-Windows devices to the Microsoft Defender for Endpoint service
description: Configure non-Windows devices so that they can send sensor data to the Microsoft Defender ATP service.
keywords: onboard non-Windows devices, macos, linux, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices
keywords: onboard non-Windows devices, macos, linux, device management, configure Windows ATP devices, configure Microsoft Defender for Endpoint devices
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security
@ -24,12 +24,13 @@ ms.technology: mde
**Applies to:**
- macOS
- Linux
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
**Platforms**
- macOS
- Linux
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-nonwindows-abovefoldlink)
Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network.

2
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
View File

@ -1,7 +1,7 @@
---
title: Onboard Windows 10 devices using Configuration Manager
description: Use Configuration Manager to deploy the configuration package on devices so that they are onboarded to the service.
keywords: onboard devices using sccm, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices
keywords: onboard devices using sccm, device management, configure Windows ATP devices, configure Microsoft Defender for Endpoint devices
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security

2
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
View File

@ -1,7 +1,7 @@
---
title: Onboard Windows 10 devices using a local script
description: Use a local script to deploy the configuration package on devices so that they are onboarded to the service.
keywords: configure devices using a local script, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices
keywords: configure devices using a local script, device management, configure Windows ATP devices, configure Microsoft Defender for Endpoint devices
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security

2
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
View File

@ -1,7 +1,7 @@
---
title: Onboard non-persistent virtual desktop infrastructure (VDI) devices
description: Deploy the configuration package on virtual desktop infrastructure (VDI) device so that they are onboarded to Microsoft Defender ATP the service.
keywords: configure virtual desktop infrastructure (VDI) device, vdi, device management, configure Windows ATP endpoints, configure Microsoft Defender Advanced Threat Protection endpoints
keywords: configure virtual desktop infrastructure (VDI) device, vdi, device management, configure Windows ATP endpoints, configure Microsoft Defender for Endpoint endpoints
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security

25
windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
View File

@ -37,14 +37,12 @@ ms.technology: mde
Ensure that you have Defender for Endpoint deployed in your environment with devices enrolled, and not just on a laboratory set-up.
Defender for Endpoint customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
If you're a Defender for Endpoint customer, you need to apply for Microsoft Threat Experts - Targeted Attack Notifications to get special insights and analysis to help identify the most critical threats, so you can respond to them quickly. Contact your account team or Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand to consult with our threat experts on relevant detections and adversaries.
If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on-Demand subscription.
## Apply for Microsoft Threat Experts - Targeted Attack Notifications service
If you're already a Defender for Endpoint customer, you can apply through the Microsoft Defender Security Center.
## Register to Microsoft Threat Experts managed threat hunting service
If you're already a Defender for Endpoint customer, you can apply through the Microsoft Defender for Endpoint portal.
1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts**.
1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts - Targeted Attack Notifications**.
2. Click **Apply**.
@ -58,11 +56,14 @@ If you're already a Defender for Endpoint customer, you can apply through the Mi
![Image of Microsoft Threat Experts application confirmation](images/mte-applicationconfirmation.png)
6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**.
When accepted, you will receive a welcome email and you will see the **Apply** button change to a toggle that is “on”. In case you want to take yourself out of the Targeted Attack Notifications service, slide the toggle “off” and click **Save preferences** at the bottom of the page.
## Receive targeted attack notification from Microsoft Threat Experts
## Where you'll see the targeted attack notifications from Microsoft Threat Experts
You can receive targeted attack notification from Microsoft Threat Experts through the following medium:
- The Defender for Endpoint portal's **Incidents** page
- The Defender for Endpoint portal's **Alerts** dashboard
- OData alerting [API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/get-alerts) and [REST API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api)
- [DeviceAlertEvents](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table) table in Advanced hunting
- Your email, if you choose to configure it
To receive targeted attack notifications through email, create an email notification rule.
@ -77,13 +78,15 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert
2. From the dashboard, select the same alert topic that you got from the email, to view the details.
## Subscribe to Microsoft Threat Experts - Experts on Demand
If you're already a Defender for Endpoint customer, you can contact your Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand.
## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization
You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised device, or a threat intelligence context that you see on your portal dashboard.
> [!NOTE]
> - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details.
> - You will need to have the "Manage security settings" permission in the Security Center portal to be able to submit a "Consult a threat expert" inquiry.
> - You need to have the **Manage security settings** permission in the Security Center portal to be able to submit a "Consult a threat expert" inquiry.
1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or device is in view before you send an investigation request.
@ -106,7 +109,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
4. Enter the email address that you'd like to use to correspond with Microsoft Threat Experts.
> [!NOTE]
> Customers with Premier Support subscription mapped to their Office 365 license can track the status of their Experts on Demand cases through Microsoft Services Hub.
> If you would like to track the status of your Experts on Demand cases through Microsoft Services Hub, reach out to your Technical Account Manager.
Watch this video for a quick overview of the Microsoft Services Hub.
@ -114,7 +117,7 @@ Watch this video for a quick overview of the Microsoft Services Hub.
## Sample investigation topics that you can consult with Microsoft Threat Experts
## Sample investigation topics that you can consult with Microsoft Threat Experts - Experts on Demand
**Alert information**
- We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?

4
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -114,7 +114,7 @@ The following downloadable spreadsheet lists the services and their associated U
|**Spreadsheet of domains list**|**Description**|
|:-----|:-----|
|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://download.microsoft.com/download/8/a/5/8a51eee5-cd02-431c-9d78-a58b7f77c070/mde-urls.xlsx)
If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning.
@ -157,7 +157,7 @@ Please see the following guidance to eliminate the wildcard (*) requirement for
3. Run the TestCloudConnection.exe tool from “C:\Program Files\Microsoft Monitoring Agent\Agent” to validate the connectivity and to see the required URLs for your specific workspace.
4. Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (please refer to the Service URLs [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)).
4. Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (please refer to the Service URLs [Spreadsheet](https://download.microsoft.com/download/8/a/5/8a51eee5-cd02-431c-9d78-a58b7f77c070/mde-urls.xlsx)).
![Image of administrator in Windows PowerShell](images/admin-powershell.png)

7
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -1,7 +1,7 @@
---
title: Onboard Windows servers to the Microsoft Defender for Endpoint service
description: Onboard Windows servers so that they can send sensor data to the Microsoft Defender for Endpoint sensor.
keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Windows ATP servers, onboard Microsoft Defender Advanced Threat Protection servers, onboard Microsoft Defender for Endpoint servers
keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Windows ATP servers, onboard Microsoft Defender for Endpoint servers, onboard Microsoft Defender for Endpoint servers
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security
@ -31,9 +31,6 @@ ms.technology: mde
- Windows Server (SAC) version 1803 and later
- Windows Server 2019 and later
- Windows Server 2019 core edition
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink)
@ -221,7 +218,7 @@ Defender for Endpoint integrates with System Center Endpoint Protection. The int
The following steps are required to enable this integration:
- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie).
- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting.
- [Configure the SCEP client Cloud Protection Service membership](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) to the **Advanced** setting.
<br>

2
windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
View File

@ -1,5 +1,5 @@
---
title: Pull detections to your SIEM tools from Microsoft Defender Advanced Threat Protection
title: Pull detections to your SIEM tools from Microsoft Defender for Endpoint
description: Learn how to use REST API and configure supported security information and events management tools to receive and pull detections.
keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
search.product: eADQiWindows 10XVcnh

2
windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
View File

@ -1,6 +1,6 @@
---
title: Create alert from event API
description: Learn how to use the Create alert API to create a new Alert on top of Event in Microsoft Defender Advanced Threat Protection.
description: Learn how to use the Create alert API to create a new Alert on top of Event in Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get, alert, information, id
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security

2
windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
View File

@ -1,6 +1,6 @@
---
title: Verify data storage location and update data retention settings
description: Verify data storage location and update data retention settings for Microsoft Defender Advanced Threat Protection
description: Verify data storage location and update data retention settings for Microsoft Defender for Endpoint
keywords: data, storage, settings, retention, update
search.product: eADQiWindows 10XVcnh
search.appverid: met150

2
windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
View File

@ -1,6 +1,6 @@
---
title: Delete Indicator API.
description: Learn how to use the Delete Indicator API to delete an Indicator entity by ID in Microsoft Defender Advanced Threat Protection.
description: Learn how to use the Delete Indicator API to delete an Indicator entity by ID in Microsoft Defender for Endpoint.
keywords: apis, public api, supported apis, delete, ti indicator, entity, id
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security

BIN
windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx
View File

Binary file not shown.

20
windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
View File

@ -1,6 +1,6 @@
---
title: See how Exploit protection works in a demo
description: See how exploit protection can prevent suspicious behaviors from occurring on specific apps.
description: See how Exploit Protection can prevent suspicious behaviors from occurring on specific apps.
keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigation
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
@ -30,14 +30,14 @@ ms.technology: mde
[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its end of support.)
Use exploit protection in audit mode to review related events in Event Viewer. By enabling audit mode, you'll see how mitigation works for certain apps in a test environment. Audit mode shows what *would* have happened if you enabled exploit protection in your production environment. This way, you can verify that exploit protection doesn't adversely affect your line-of-business apps, and see which suspicious or malicious events occur.
In audit, you can see how mitigation works for certain apps in a test environment. This shows what *would* have happened if you enabled exploit protection in your production environment. This way, you can verify that exploit protection doesn't adversely affect your line-of-business apps, and see which suspicious or malicious events occur.
> [!TIP]
> You can also visit the Microsoft Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
## Enable exploit protection in audit mode
## Enable exploit protection for testing
You can set mitigations in audit mode for specific programs by using the Windows Security app or Windows PowerShell.
You can set mitigations in a testing mode for specific programs by using the Windows Security app or Windows PowerShell.
### Windows Security app
@ -99,12 +99,12 @@ To review which apps would have been blocked, open Event Viewer and filter for t
| Feature | Provider/source | Event ID | Description |
|---|---|--|---|
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit |
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit |
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit |
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit |
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit |
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit |
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit |
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit |
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit |
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit |
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit |
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit |
## See also

2
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
View File

@ -1,6 +1,6 @@
---
title: Get alert related domains information
description: Retrieve all domains related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
description: Retrieve all domains related to a specific alert using Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get alert information, alert information, related domain
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security

2
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
View File

@ -1,6 +1,6 @@
---
title: Get alert related files information
description: Retrieve all files related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint).
description: Retrieve all files related to a specific alert using Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get alert information, alert information, related files
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security

2
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
View File

@ -1,6 +1,6 @@
---
title: Get alert related IPs information
description: Retrieve all IPs related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint).
description: Retrieve all IPs related to a specific alert using Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get alert information, alert information, related ip
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security

2
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
View File

@ -1,6 +1,6 @@
---
title: Get alert related machine information
description: Retrieve all devices related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint).
description: Retrieve all devices related to a specific alert using Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get alert information, alert information, related device
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security

2
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
View File

@ -1,6 +1,6 @@
---
title: Get alert related user information
description: Learn how to use the Get alert related user information API to retrieve the user related to a specific alert in Microsoft Defender Advanced Threat Protection.
description: Learn how to use the Get alert related user information API to retrieve the user related to a specific alert in Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get, alert, information, related, user
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security

2
windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
View File

@ -1,6 +1,6 @@
---
title: Get IP related alerts API
description: Retrieve a collection of alerts related to a given IP address using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
description: Retrieve a collection of alerts related to a given IP address using Microsoft Defender for Endpoint
keywords: apis, graph api, supported apis, get, ip, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security

2
windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
View File

@ -1,6 +1,6 @@
---
title: Get IP statistics API
description: Get the latest stats for your IP using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
description: Get the latest stats for your IP using Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get, ip, statistics, prevalence
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security

2
windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
View File

@ -1,6 +1,6 @@
---
title: Get KB collection API
description: Retrieve a collection of knowledge bases (KB's) and KB details with Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
description: Retrieve a collection of knowledge bases (KB's) and KB details with Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get, kb
search.product: eADQiWindows 10XVcnh
search.appverid: met150

2
windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
View File

@ -1,6 +1,6 @@
---
title: Get machine by ID API
description: Learn how to use the Get machine by ID API to retrieve a machine by its device ID or computer name in Microsoft Defender Advanced Threat Protection.
description: Learn how to use the Get machine by ID API to retrieve a machine by its device ID or computer name in Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get, devices, entity, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10

2
windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
View File

@ -1,6 +1,6 @@
---
title: Get machine logon users API
description: Learn how to use the Get machine logon users API to retrieve a collection of logged on users on a device in Microsoft Defender Advanced Threat Protection.
description: Learn how to use the Get machine logon users API to retrieve a collection of logged on users on a device in Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get, device, log on, users
search.product: eADQiWindows 10XVcnh
ms.prod: w10

2
windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
View File

@ -1,6 +1,6 @@
---
title: Get machine related alerts API
description: Learn how to use the Get machine related alerts API to retrieve all alerts related to a specific device in Microsoft Defender Advanced Threat Protection.
description: Learn how to use the Get machine related alerts API to retrieve all alerts related to a specific device in Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get, devices, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10

2
windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
View File

@ -1,6 +1,6 @@
---
title: Get MachineAction object API
description: Learn how to use the Get MachineAction API to retrieve a specific Machine Action by its ID in Microsoft Defender Advanced Threat Protection.
description: Learn how to use the Get MachineAction API to retrieve a specific Machine Action by its ID in Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, machineaction object
search.product: eADQiWindows 10XVcnh
ms.prod: w10

2
windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
View File

@ -1,6 +1,6 @@
---
title: List machineActions API
description: Learn how to use the List MachineActions API to retrieve a collection of Machine Actions in Microsoft Defender Advanced Threat Protection.
description: Learn how to use the List MachineActions API to retrieve a collection of Machine Actions in Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, machineaction collection
search.product: eADQiWindows 10XVcnh
ms.prod: w10

2
windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
View File

@ -1,6 +1,6 @@
---
title: Get machines security states collection API
description: Retrieve a collection of device security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
description: Retrieve a collection of device security states using Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get, device, security, state
search.product: eADQiWindows 10XVcnh
search.appverid: met150

2
windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
View File

@ -1,6 +1,6 @@
---
title: List Indicators API
description: Learn how to use the List Indicators API to retrieve a collection of all active Indicators in Microsoft Defender Advanced Threat Protection.
description: Learn how to use the List Indicators API to retrieve a collection of all active Indicators in Microsoft Defender for Endpoint.
keywords: apis, public api, supported apis, Indicators collection
search.product: eADQiWindows 10XVcnh
ms.prod: w10

2
windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
View File

@ -1,6 +1,6 @@
---
title: Get user information API
description: Learn how to use the Get user information API to retrieve a User entity by key, or user name, in Microsoft Defender Advanced Threat Protection.
description: Learn how to use the Get user information API to retrieve a User entity by key, or user name, in Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get, user, user information
search.product: eADQiWindows 10XVcnh
ms.prod: w10

2
windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
View File

@ -1,6 +1,6 @@
---
title: Get user-related alerts API
description: Retrieve a collection of alerts related to a given user ID using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
description: Retrieve a collection of alerts related to a given user ID using Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get, user, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security

2
windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
View File

@ -1,6 +1,6 @@
---
title: Get user-related machines API
description: Learn how to use the Get user-related machines API to retrieve a collection of devices related to a user ID in Microsoft Defender Advanced Threat Protection.
description: Learn how to use the Get user-related machines API to retrieve a collection of devices related to a user ID in Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get, user, user related alerts
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security

32
windows/security/threat-protection/microsoft-defender-atp/gov.md
View File

@ -21,11 +21,11 @@ ms.technology: mde
# Microsoft Defender for Endpoint for US Government customers
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Microsoft Defender for Endpoint for US Government customers, built in the US Azure Government environment, uses the same underlying technologies as Defender for Endpoint in Azure Commercial.
This offering is available to GCC, GCC High, and DoD customers and is based on the same prevention, detection, investigation, and remediation as the commercial version. However, there are some differences in the availability of capabilities for this offering.
> [!NOTE]
> If you are a GCC customer using Defender for Endpoint in Commercial, please refer to the public documentation pages.
@ -102,21 +102,25 @@ The following OS versions are supported when using [Azure Defender for Servers](
OS version | GCC | GCC High | DoD (PREVIEW)
:---|:---|:---|:---
Windows Server 2016 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows Server 2012 R2 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows Server 2008 R2 SP1 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows Server 2016 | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows Server 2012 R2 | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows Server 2008 R2 SP1 | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
<br>
## Required connectivity settings
You'll need to ensure that traffic from the following are allowed:
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list.
Service location | DNS record
:---|:---
Common URLs for all locations (Global location) | `crl.microsoft.com`<br>`ctldl.windowsupdate.com`<br>`notify.windows.com`<br>`settings-win.data.microsoft.com` <br><br> Note: `settings-win.data.microsoft.com` is only needed on Windows 10 devices running version 1803 or earlier.
Common URLs for all US Gov customers | `us4-v20.events.data.microsoft.com` <br>`*.blob.core.usgovcloudapi.net`
Defender for Endpoint GCC specific | `winatp-gw-usmt.microsoft.com`<br>`winatp-gw-usmv.microsoft.com`
Defender for Endpoint GCC High & DoD (PREVIEW) specific | `winatp-gw-usgt.microsoft.com`<br>`winatp-gw-usgv.microsoft.com`
The following downloadable spreadsheet lists the services and their associated URLs your network must be able to connect to. Verify there are no firewall or network filtering rules that would deny access to these URLs, or create an *allow* rule specifically for them.
Spreadsheet of domains list | Description
:-----|:-----
![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://download.microsoft.com/download/8/a/5/8a51eee5-cd02-431c-9d78-a58b7f77c070/mde-urls.xlsx)
For more information, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).
> [!NOTE]
> The spreadsheet contains commercial URLs as well, make sure you check the "US Gov" tabs. <br> When filtering, look for the records labeled as "US Gov" and your specific cloud under the geography column.
<br>
@ -151,7 +155,7 @@ Threat analytics | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/ch
Web content filtering | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development
Integrations: Azure Sentinel | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development
Integrations: Microsoft Cloud App Security | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Integrations: Microsoft Compliance Center | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Integrations: Microsoft Compliance Manager | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Integrations: Microsoft Defender for Identity | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Integrations: Microsoft Defender for Office 365 | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog

4
windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
View File

@ -1,6 +1,6 @@
---
title: Helpful Microsoft Defender Advanced Threat Protection resources
description: Access helpful resources such as links to blogs and other resources related to Microsoft Defender Advanced Threat Protection
title: Helpful Microsoft Defender for Endpoint resources
description: Access helpful resources such as links to blogs and other resources related to Microsoft Defender for Endpoint
keywords: Microsoft Defender Security Center, product brief, brief, capabilities, licensing
search.product: eADQiWindows 10XVcnh
search.appverid: met150

BIN
windows/security/threat-protection/microsoft-defender-atp/images/alert-landing-view-upd.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 80 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/detection-status-detected-upd.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/detection-status-detected.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 81 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/detection-status-prevented-mac-upd.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

Some files were not shown because too many files have changed in this diff Show More