deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #4651 from MicrosoftDocs/master

Browse Source 
Publish 2/1/2021 10:30 AM PT
This commit is contained in:
Tina Burden 2021-02-01 10:35:09 -08:00 committed by GitHub
commit 39ee56ca71
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 77 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
store-for-business/includes/store-for-business-content-updates.md
View File

@ -2,6 +2,14 @@
## Week of January 25, 2021
| Published On |Topic title | Change |
|------|------------|--------|
| 1/29/2021 | [Distribute offline apps (Windows 10)](/microsoft-store/distribute-offline-apps) | modified |
## Week of January 11, 2021

3
windows/security/threat-protection/index.md
View File

@ -20,6 +20,9 @@ ms.technology: mde
# Threat Protection
[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
> [!TIP]
> Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/).

2
windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
View File

@ -24,8 +24,6 @@ ms.technology: mde
Applies to:
- Windows 10 multi-session running on Windows Virtual Desktop (WVD)
> [!IMPORTANT]
> Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender for Endpoint. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.
> [!WARNING]
> Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However, single session scenarios on Windows Virtual Desktop are fully supported.

21
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -42,6 +42,7 @@ For a practical guidance on what needs to be in place for licensing and infrastr
For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines).
<br>
## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016
@ -56,13 +57,13 @@ After completing the onboarding steps using any of the provided options, you'll
> [!NOTE]
> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Monitoring Agent (Option 1), or through Microsoft Endpoint Manager (Option 3). Alternatively, an Azure Defender for Servers license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA)
You'll need to install and configure MMA for Windows servers to report sensor data to Defender for Endpoint. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support.
If you're already using System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support.
In general, you'll need to take the following steps:
1. Fulfill the onboarding requirements outlined in **Before you begin** section.
@ -102,6 +103,8 @@ Perform the following steps to fulfill the onboarding requirements:
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
- [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
> [!NOTE]
> If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government".
<span id="server-proxy"/>
@ -140,6 +143,8 @@ You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsof
After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
<br>
## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition
You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods:
@ -179,12 +184,14 @@ Support for Windows Server provides deeper insight into server activities, cover
```sc.exe query Windefend```
If the result is 'The specified service does not exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus).
<br>
## Integration with Azure Security Center
Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can use the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
The following capabilities are included in this integration:
- Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
@ -202,6 +209,7 @@ Data collected by Defender for Endpoint is stored in the geo-location of the ten
> - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. <br>
Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
<br>
## Configure and update System Center Endpoint Protection clients
@ -212,7 +220,7 @@ The following steps are required to enable this integration:
- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting.
<br>
## Offboard Windows servers
You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices.
@ -264,6 +272,9 @@ To offboard the Windows server, you can use either of the following methods:
$AgentCfg.ReloadConfiguration()
```
<br>
## Related topics
- [Onboard Windows 10 devices](configure-endpoints.md)
- [Onboard non-Windows devices](configure-endpoints-non-windows.md)

19
windows/security/threat-protection/microsoft-defender-atp/gov.md
View File

@ -31,8 +31,16 @@ This offering is currently available to Microsoft 365 GCC and GCC High customers
> [!NOTE]
> If you are a "GCC on Commercial" customer, please refer to the public documentation pages.
<br>
## Portal URLs
The following are the Microsoft Defender for Endpoint portal URLs for US Government customers:
Customer type | Portal URL
:---|:---
GCC | https://gcc.securitycenter.microsoft.us
GCC High | https://securitycenter.microsoft.us
<br>
## Endpoint versions
@ -63,7 +71,10 @@ Android | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../im
iOS | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
> [!NOTE]
> A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment.
> Where a patch is specified, it must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment.
> [!NOTE]
> Trying to onboard Windows Server 2016/2012 R2/2008 R2 SP1 or Windows 8.1 Enterprise/8 Pro/7 SP1 Enterprise/7 SP1 Pro using [Microsoft Monitoring Agent](configure-server-endpoints.md#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)? You'll need to choose "Azure US Government" under "Azure Cloud".
### OS versions when using Azure Defender for Servers
The following OS versions are supported when using [Azure Defender for Servers](https://docs.microsoft.com/azure/security-center/security-center-wdatp):
@ -88,7 +99,6 @@ Defender for Endpoint GCC High specific | `winatp-gw-usgt.microsoft.com`<br>`win
<br>
## API
Instead of the public URIs listed in our [API documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro), you'll need to use the following URIs:
@ -100,7 +110,6 @@ SIEM | `https://wdatp-alertexporter-us.gcc.securitycenter.windows.us` | `https:/
<br>
## Feature parity with commercial
Defender for Endpoint doesn't have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available that we'd like to highlight.
@ -126,6 +135,6 @@ Integrations: Microsoft Defender for Identity | ![No](../images/svg/check-no.svg
Integrations: Microsoft Defender for Office 365 | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
Integrations: Microsoft Intune | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Integrations: Microsoft Power Automate & Azure Logic Apps | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Integrations: Microsoft Power Automate & Azure Logic Apps | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Integrations: Skype for Business / Teams | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development
Microsoft Threat Experts | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog

4
windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
View File

@ -116,7 +116,7 @@ To complete this process, you must have admin privileges on the device.
The client device is not associated with orgId. Note that the *orgId* attribute is blank.
```bash
mdatp --health orgId
mdatp health --field org_id
```
2. Run the Python script to install the configuration file:
@ -128,7 +128,7 @@ To complete this process, you must have admin privileges on the device.
3. Verify that the device is now associated with your organization and reports a valid *orgId*:
```bash
mdatp --health orgId
mdatp health --field org_id
```
After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.

2
windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
View File

@ -59,7 +59,7 @@ You can configure how PUA files are handled from the command line or from the ma
In Terminal, execute the following command to configure PUA protection:
```bash
mdatp --threat --type-handling potentially_unwanted_application [off|audit|block]
mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]
```
### Use the management console to configure PUA protection:

2
windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
View File

@ -149,7 +149,7 @@ To enable autocompletion in zsh:
## Client Microsoft Defender for Endpoint quarantine directory
`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`.
`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp threat list`.
## Microsoft Defender for Endpoint portal information

4
windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
View File

@ -47,7 +47,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device.
<array>
<string>sh</string>
<string>-c</string>
<string>/usr/local/bin/mdatp --scan --quick</string>
<string>/usr/local/bin/mdatp scan quick</string>
</array>
<key>RunAtLoad</key>
<true/>
@ -73,7 +73,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device.
2. Save the file as *com.microsoft.wdav.schedquickscan.plist*.
> [!TIP]
> To run a full scan instead of a quick scan, change line 12, `<string>/usr/local/bin/mdatp --scan --quick</string>`, to use the `--full` option instead of `--quick` (i.e. `<string>/usr/local/bin/mdatp --scan --full</string>`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*.
> To run a full scan instead of a quick scan, change line 12, `<string>/usr/local/bin/mdatp scan quick</string>`, to use the `full` option instead of `quick` (i.e. `<string>/usr/local/bin/mdatp scan full</string>`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*.
3. Open **Terminal**.
4. Enter the following commands to load your file:

16
windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
View File

@ -37,15 +37,15 @@ If you did not approve the kernel extension during the deployment/installation o
![RTP disabled screenshot](../microsoft-defender-antivirus/images/MDATP-32-Main-App-Fix.png)
You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device.
You can also run ```mdatp health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device.
```bash
mdatp --health
mdatp health
```
```Output
...
realTimeProtectionAvailable : false
realTimeProtectionEnabled : true
real_time_protection_enabled : false
real_time_protection_available : true
...
```
@ -90,15 +90,15 @@ In this case, you need to perform the following steps to trigger the approval fl
sudo kextutil /Library/Extensions/wdavkext.kext
```
The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available:
The banner should disappear from the Defender application, and ```mdatp health``` should now report that real-time protection is both enabled and available:
```bash
mdatp --health
mdatp health
```
```Output
...
realTimeProtectionAvailable : true
realTimeProtectionEnabled : true
real_time_protection_enabled : true
real_time_protection_available : true
...
```

8
windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
View File

@ -43,13 +43,13 @@ The following steps can be used to troubleshoot and mitigate these issues:
- From the user interface. Open Microsoft Defender for Endpoint for Mac and navigate to **Manage settings**.
![Manage real-time protection screenshot](../microsoft-defender-antivirus/images/mdatp-36-rtp.png)
![Manage real-time protection screenshot](../microsoft-defender-antivirus/images/mdatp-36-rtp.png)
- From the Terminal. For security purposes, this operation requires elevation.
```bash
mdatp --config realTimeProtectionEnabled false
```
```bash
mdatp config real-time-protection --value disabled
```
If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md).

7
windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
View File

@ -45,7 +45,7 @@ These steps assume you already have Defender for Endpoint running on your device
- Your device must be in the **Insider Fast update channel**. You can check the update channel by using the following command:
```bash
mdatp --health releaseRing
mdatp health --field release_ring
```
If your device isn't already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect the next time the product starts (when the next product update is installed, or when the device is rebooted).
@ -66,8 +66,9 @@ Follow the deployment steps that correspond to your environment and your preferr
1. After all deployment prerequisites are met, restart your device to launch the system extension approval and activation process.
You'll see a series of system prompts to approve the Defender for Endpoint system extensions. You must approve **all** prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device.
For each approval, select **Open Security Preferences** and then select **Allow** to allow the system extension to run.
You'll see a series of system prompts to approve the Defender for Endpoint system extensions. You must approve **all** prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device.
For each approval, select **Open Security Preferences** and then select **Allow** to allow the system extension to run.
> [!IMPORTANT]
> You must close and reopen the **System Preferences** > **Security & Privacy** window between subsequent approvals. Otherwise, macOS will not display the next approval.

2
windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
View File

@ -173,7 +173,7 @@ ms.technology: mde
- Fixed an issue where Microsoft Defender for Endpoint for Mac was sometimes interfering with Time Machine
- Added a new switch to the command-line utility for testing the connectivity with the backend service
```bash
mdatp --connectivity-test
mdatp connectivity test
```
- Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view)
- Performance improvements & bug fixes

2
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
View File

@ -132,7 +132,7 @@ The output from this command should be similar to the following:
Once Microsoft Defender for Endpoint is installed, connectivity can be validated by running the following command in Terminal:
```bash
mdatp --connectivity-test
mdatp connectivity test
```
## How to update Microsoft Defender for Endpoint for Mac

24
windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
View File

@ -29,9 +29,9 @@ ms.technology: mde
When you use [attack surface reduction rules](attack-surface-reduction.md) you may run into issues, such as:
- A rule blocks a file, process, or performs some other action that it should not (false positive)
- A rule blocks a file, process, or performs some other action that it shouldn't (false positive)
- A rule does not work as described, or does not block a file or process that it should (false negative)
- A rule doesn't work as described, or doesn't block a file or process that it should (false negative)
There are four steps to troubleshooting these problems:
@ -53,7 +53,7 @@ Attack surface reduction rules will only work on devices with the following cond
- [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled.
- Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
- Audit mode isn't enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
If these prerequisites have all been met, proceed to the next step to test the rule in audit mode.
@ -61,7 +61,7 @@ If these prerequisites have all been met, proceed to the next step to test the r
You can visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.
Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with.
Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you're encountering problems with.
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run.
@ -69,19 +69,19 @@ Follow these instructions in [Use the demo tool to see how attack surface reduct
3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
If a rule isn't blocking a file or process that you're expecting it should block, first check if audit mode is enabled.
Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation:
If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation:
1. If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive).
1. If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive).
2. If the attack surface reduction rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions).
2. If the attack surface reduction rule isn't blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions).
## Add exclusions for a false positive
If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.
If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.
To add an exclusion, see [Customize Attack surface reduction](customize-attack-surface-reduction.md).
@ -95,12 +95,12 @@ Use the [Windows Defender Security Intelligence web-based submission form](https
## Collect diagnostic data for file submissions
When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
When you report a problem with attack surface reduction rules, you're asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
1. Open an elevated command prompt and change to the Windows Defender directory:
```console
cd c:\program files\windows defender
cd "c:\program files\windows defender"
```
2. Run this command to generate the diagnostic logs:
@ -109,7 +109,7 @@ When you report a problem with attack surface reduction rules, you are asked to
mpcmdrun -getfiles
```
3. By default, they are saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form.
3. By default, they're saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form.
## Related articles