From 443c53cbfd1a94240e6568ae4dfe09e5be9299b6 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Wed, 16 Dec 2020 23:21:11 +0530 Subject: [PATCH 01/15] updated-4620497 updated --- windows/security/threat-protection/index.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 88ac6667fb..f9594c5218 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -19,6 +19,9 @@ ms.topic: conceptual # Threat Protection [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + > [!TIP] > Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/). From 402d66cf2d6e71fc1f511079881b8f70f96e0e88 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Fri, 29 Jan 2021 15:01:47 -0800 Subject: [PATCH 02/15] Update MDE for Mac docs to use new command-line tool syntax --- .../mac-install-manually.md | 4 ++-- .../microsoft-defender-atp/mac-pua.md | 2 +- .../microsoft-defender-atp/mac-resources.md | 2 +- .../mac-schedule-scan-atp.md | 4 ++-- .../microsoft-defender-atp/mac-support-kext.md | 16 ++++++++-------- .../microsoft-defender-atp/mac-support-perf.md | 2 +- .../microsoft-defender-atp/mac-whatsnew.md | 2 +- .../microsoft-defender-atp-mac.md | 2 +- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index 904279814f..375f715a8e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -116,7 +116,7 @@ To complete this process, you must have admin privileges on the device. The client device is not associated with orgId. Note that the *orgId* attribute is blank. ```bash - mdatp --health orgId + mdatp health --field org_id ``` 2. Run the Python script to install the configuration file: @@ -128,7 +128,7 @@ To complete this process, you must have admin privileges on the device. 3. Verify that the device is now associated with your organization and reports a valid *orgId*: ```bash - mdatp --health orgId + mdatp health --field org_id ``` After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md index a83bc01f7a..37371fa8f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md @@ -59,7 +59,7 @@ You can configure how PUA files are handled from the command line or from the ma In Terminal, execute the following command to configure PUA protection: ```bash -mdatp --threat --type-handling potentially_unwanted_application [off|audit|block] +mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block] ``` ### Use the management console to configure PUA protection: diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md index 8ab4ccb54a..227df25707 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md @@ -149,7 +149,7 @@ To enable autocompletion in zsh: ## Client Microsoft Defender for Endpoint quarantine directory -`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`. +`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp threat list`. ## Microsoft Defender for Endpoint portal information diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md index b7f2649c73..331b7057ff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md @@ -47,7 +47,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device. sh -c - /usr/local/bin/mdatp --scan --quick + /usr/local/bin/mdatp scan quick RunAtLoad @@ -73,7 +73,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device. 2. Save the file as *com.microsoft.wdav.schedquickscan.plist*. > [!TIP] - > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp --scan --quick`, to use the `--full` option instead of `--quick` (i.e. `/usr/local/bin/mdatp --scan --full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*. + > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp scan quick`, to use the `full` option instead of `quick` (i.e. `/usr/local/bin/mdatp scan full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*. 3. Open **Terminal**. 4. Enter the following commands to load your file: diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md index 3cefc80735..dae30c8c6a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md @@ -37,15 +37,15 @@ If you did not approve the kernel extension during the deployment/installation o ![RTP disabled screenshot](../microsoft-defender-antivirus/images/MDATP-32-Main-App-Fix.png) -You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device. +You can also run ```mdatp health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension is not approved to run on your device. ```bash -mdatp --health +mdatp health ``` ```Output ... -realTimeProtectionAvailable : false -realTimeProtectionEnabled : true +real_time_protection_enabled : true +real_time_protection_available : true ... ``` @@ -90,15 +90,15 @@ In this case, you need to perform the following steps to trigger the approval fl sudo kextutil /Library/Extensions/wdavkext.kext ``` - The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available: + The banner should disappear from the Defender application, and ```mdatp health``` should now report that real-time protection is both enabled and available: ```bash - mdatp --health + mdatp health ``` ```Output ... - realTimeProtectionAvailable : true - realTimeProtectionEnabled : true + real_time_protection_enabled : true + real_time_protection_available : true ... ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 96b85255e0..9aff2517bf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -48,7 +48,7 @@ The following steps can be used to troubleshoot and mitigate these issues: - From the Terminal. For security purposes, this operation requires elevation. ```bash - mdatp --config realTimeProtectionEnabled false + mdatp config real-time-protection --value disabled ``` If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 2ae1e83837..55c92067b1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -173,7 +173,7 @@ ms.technology: mde - Fixed an issue where Microsoft Defender for Endpoint for Mac was sometimes interfering with Time Machine - Added a new switch to the command-line utility for testing the connectivity with the backend service ```bash - mdatp --connectivity-test + mdatp connectivity test ``` - Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view) - Performance improvements & bug fixes diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index 61c7fe0660..9766c422da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -132,7 +132,7 @@ The output from this command should be similar to the following: Once Microsoft Defender for Endpoint is installed, connectivity can be validated by running the following command in Terminal: ```bash -mdatp --connectivity-test +mdatp connectivity test ``` ## How to update Microsoft Defender for Endpoint for Mac From 5d73e88e40b16c8c285dcbe144712e9f82d9fcef Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Fri, 29 Jan 2021 15:05:01 -0800 Subject: [PATCH 03/15] One more file --- .../microsoft-defender-atp/mac-sysext-preview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md index 3e8f336502..b02e640d1e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md @@ -45,7 +45,7 @@ These steps assume you already have Defender for Endpoint running on your device - Your device must be in the **Insider Fast update channel**. You can check the update channel by using the following command: ```bash - mdatp --health releaseRing + mdatp health --field release_ring ``` If your device isn't already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect the next time the product starts (when the next product update is installed, or when the device is rebooted). From 47bd07c3fa4979cb5e91ca1c8bda30eadccec328 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Fri, 29 Jan 2021 15:12:40 -0800 Subject: [PATCH 04/15] Typo --- .../microsoft-defender-atp/mac-support-kext.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md index dae30c8c6a..8d726d2f36 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md @@ -44,7 +44,7 @@ mdatp health ``` ```Output ... -real_time_protection_enabled : true +real_time_protection_enabled : false real_time_protection_available : true ... ``` From f29f13280dc50788d2e9537221dfe79d255d7335 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 29 Jan 2021 16:13:11 -0800 Subject: [PATCH 05/15] Corrected indentation of content in list items --- .../microsoft-defender-atp/mac-support-perf.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 9aff2517bf..cbfb2f15f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -43,13 +43,13 @@ The following steps can be used to troubleshoot and mitigate these issues: - From the user interface. Open Microsoft Defender for Endpoint for Mac and navigate to **Manage settings**. - ![Manage real-time protection screenshot](../microsoft-defender-antivirus/images/mdatp-36-rtp.png) + ![Manage real-time protection screenshot](../microsoft-defender-antivirus/images/mdatp-36-rtp.png) - From the Terminal. For security purposes, this operation requires elevation. - ```bash - mdatp config real-time-protection --value disabled - ``` + ```bash + mdatp config real-time-protection --value disabled + ``` If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md). From f0446c8eb4ebb6e9c0598e76fee5cf30b2c76462 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 29 Jan 2021 16:15:28 -0800 Subject: [PATCH 06/15] Corrected indentation and, thereby, broken numbering in a procedure --- .../microsoft-defender-atp/mac-sysext-preview.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md index b02e640d1e..3a5f837ab4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md @@ -66,8 +66,9 @@ Follow the deployment steps that correspond to your environment and your preferr 1. After all deployment prerequisites are met, restart your device to launch the system extension approval and activation process. -You'll see a series of system prompts to approve the Defender for Endpoint system extensions. You must approve **all** prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device. -For each approval, select **Open Security Preferences** and then select **Allow** to allow the system extension to run. + You'll see a series of system prompts to approve the Defender for Endpoint system extensions. You must approve **all** prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device. + + For each approval, select **Open Security Preferences** and then select **Allow** to allow the system extension to run. > [!IMPORTANT] > You must close and reopen the **System Preferences** > **Security & Privacy** window between subsequent approvals. Otherwise, macOS will not display the next approval. From 73f669e1e90ef76a8a27f03a6ab43d9397c0762f Mon Sep 17 00:00:00 2001 From: Office Content Publishing <34616516+officedocspr@users.noreply.github.com> Date: Sat, 30 Jan 2021 23:33:12 -0800 Subject: [PATCH 07/15] Uploaded file: store-for-business-content-updates.md - 2021-01-30 23:33:11.8570 --- .../includes/store-for-business-content-updates.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md index 42f33e8015..82518ed170 100644 --- a/store-for-business/includes/store-for-business-content-updates.md +++ b/store-for-business/includes/store-for-business-content-updates.md @@ -2,6 +2,14 @@ +## Week of January 25, 2021 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 1/29/2021 | [Distribute offline apps (Windows 10)](/microsoft-store/distribute-offline-apps) | modified | + + ## Week of January 11, 2021 From fd30b0a830ebbd942b4cf61181c942b7e7ab5f59 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 01:05:18 +0200 Subject: [PATCH 08/15] Update Onboard-Windows-10-multi-session-device.md Dropping the rebranding note (was removed from all pages). --- .../Onboard-Windows-10-multi-session-device.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md index e63643ed0a..1f03573655 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md +++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md @@ -24,8 +24,6 @@ ms.technology: mde Applies to: - Windows 10 multi-session running on Windows Virtual Desktop (WVD) -> [!IMPORTANT] -> Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender for Endpoint. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future. > [!WARNING] > Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However, single session scenarios on Windows Virtual Desktop are fully supported. From ff100e743717b62e52ee29850b2e00a83770bbdb Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 01:26:56 +0200 Subject: [PATCH 09/15] Update configure-server-endpoints.md Addressing: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8911 https://github.com/MicrosoftDocs/windows-itpro-docs/pull/8996/files Also adding a note regarding US Gov customers and MMA setup. --- .../configure-server-endpoints.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 3e1fad5b1a..abdf7a98e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -42,6 +42,7 @@ For a practical guidance on what needs to be in place for licensing and infrastr For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines). +
## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 @@ -56,7 +57,7 @@ After completing the onboarding steps using any of the provided options, you'll > [!NOTE] -> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). +> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Monitoring Agent (Option 1), or through Microsoft Endpoint Manager (Option 3). Alternatively, an Azure Defender for Servers license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). ### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA) @@ -102,6 +103,8 @@ Perform the following steps to fulfill the onboarding requirements: On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). +> [!NOTE] +> If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government". @@ -140,6 +143,8 @@ You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsof After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). +
+ ## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods: @@ -183,6 +188,8 @@ Support for Windows Server provides deeper insight into server activities, cover For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus). +
+ ## Integration with Azure Security Center Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers. @@ -202,6 +209,7 @@ Data collected by Defender for Endpoint is stored in the geo-location of the ten > - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.
Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers. +
## Configure and update System Center Endpoint Protection clients @@ -212,7 +220,7 @@ The following steps are required to enable this integration: - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting. - +
## Offboard Windows servers You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices. @@ -264,6 +272,9 @@ To offboard the Windows server, you can use either of the following methods: $AgentCfg.ReloadConfiguration() ``` + +
+ ## Related topics - [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard non-Windows devices](configure-endpoints-non-windows.md) From bd6233826f769c56fb2f12a191eae8fe0588cd9e Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 01:35:51 +0200 Subject: [PATCH 10/15] Update configure-server-endpoints.md Some Acrolinx changes. --- .../microsoft-defender-atp/configure-server-endpoints.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index abdf7a98e7..8ac55c19b5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -63,7 +63,7 @@ After completing the onboarding steps using any of the provided options, you'll ### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA) You'll need to install and configure MMA for Windows servers to report sensor data to Defender for Endpoint. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). -If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support. +If you're already using System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support. In general, you'll need to take the following steps: 1. Fulfill the onboarding requirements outlined in **Before you begin** section. @@ -184,14 +184,14 @@ Support for Windows Server provides deeper insight into server activities, cover ```sc.exe query Windefend``` - If the result is 'The specified service does not exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). + If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus).
## Integration with Azure Security Center -Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers. +Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can use the power of Defender for Endpoint to provide improved threat detection for Windows Servers. The following capabilities are included in this integration: - Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). From 0c2f8a5a264c3f5f59ad8ef0475298d80ee851e7 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 01:43:10 +0200 Subject: [PATCH 11/15] Update gov.md Adding: 1. Portal URLs. 2. Power Automate & Logic Apps integrations are now available for GCC. 3. Clarification regarding MMA & patches. --- .../microsoft-defender-atp/gov.md | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 2bde8df0d5..2fd68eca5a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -31,8 +31,18 @@ This offering is currently available to Microsoft 365 GCC and GCC High customers > [!NOTE] > If you are a "GCC on Commercial" customer, please refer to the public documentation pages. +
+## Portal URLs +The following are the specific Microsoft Defender for Endpoint portal URLs: + +Customer type | Portal URL +:---|:--- +GCC | https://gcc.securitycenter.microsoft.us +GCC High | https://securitycenter.microsoft.us + +
## Endpoint versions @@ -63,7 +73,10 @@ Android | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../im iOS | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog > [!NOTE] -> A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment. +> Where a patch is specified, it must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment. + +> [!NOTE] +> Trying to onboard Windows Server 2016/2012 R2/2008 R2 SP1 or Windows 8.1 Enterprise/8 Pro/7 SP1 Enterprise/7 SP1 Pro using [Microsoft Monitoring Agent](configure-server-endpoints.md#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)? You'll need to choose "Azure US Government" under "Azure Cloud". ### OS versions when using Azure Defender for Servers The following OS versions are supported when using [Azure Defender for Servers](https://docs.microsoft.com/azure/security-center/security-center-wdatp): @@ -88,7 +101,6 @@ Defender for Endpoint GCC High specific | `winatp-gw-usgt.microsoft.com`
`win
- ## API Instead of the public URIs listed in our [API documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro), you'll need to use the following URIs: @@ -100,7 +112,6 @@ SIEM | `https://wdatp-alertexporter-us.gcc.securitycenter.windows.us` | `https:/
- ## Feature parity with commercial Defender for Endpoint doesn't have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available that we'd like to highlight. @@ -126,6 +137,6 @@ Integrations: Microsoft Defender for Identity | ![No](../images/svg/check-no.svg Integrations: Microsoft Defender for Office 365 | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog Integrations: Microsoft Intune | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development -Integrations: Microsoft Power Automate & Azure Logic Apps | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development +Integrations: Microsoft Power Automate & Azure Logic Apps | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Integrations: Skype for Business / Teams | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development Microsoft Threat Experts | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog From 807f04e1810c7b76dc6723c07cf0635bd5e710f4 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 01:51:12 +0200 Subject: [PATCH 12/15] Update gov.md --- .../security/threat-protection/microsoft-defender-atp/gov.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 2fd68eca5a..5223c1229a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -32,10 +32,8 @@ This offering is currently available to Microsoft 365 GCC and GCC High customers > [!NOTE] > If you are a "GCC on Commercial" customer, please refer to the public documentation pages. -
- ## Portal URLs -The following are the specific Microsoft Defender for Endpoint portal URLs: +The following are the Microsoft Defender for Endpoint portal URLs for US Government customers: Customer type | Portal URL :---|:--- From 8cdd0d0ee153d5c8ec94f7fb3d1d31011f08f82d Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 18:57:44 +0200 Subject: [PATCH 13/15] Update troubleshoot-asr.md https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9055 --- .../microsoft-defender-atp/troubleshoot-asr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md index 8a626f4670..e507384f99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md @@ -100,7 +100,7 @@ When you report a problem with attack surface reduction rules, you are asked to 1. Open an elevated command prompt and change to the Windows Defender directory: ```console - cd c:\program files\windows defender + cd "c:\program files\windows defender" ``` 2. Run this command to generate the diagnostic logs: From f13504560a9849a630ce0b74b5fe3781e3c613b1 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 19:03:07 +0200 Subject: [PATCH 14/15] Update troubleshoot-asr.md Acrolinx. --- .../troubleshoot-asr.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md index e507384f99..dd95924a68 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md @@ -29,9 +29,9 @@ ms.technology: mde When you use [attack surface reduction rules](attack-surface-reduction.md) you may run into issues, such as: -- A rule blocks a file, process, or performs some other action that it should not (false positive) +- A rule blocks a file, process, or performs some other action that it shouldn't (false positive) -- A rule does not work as described, or does not block a file or process that it should (false negative) +- A rule doesn't work as described, or doesn't block a file or process that it should (false negative) There are four steps to troubleshooting these problems: @@ -53,7 +53,7 @@ Attack surface reduction rules will only work on devices with the following cond - [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. -- Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). +- Audit mode isn't enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). If these prerequisites have all been met, proceed to the next step to test the rule in audit mode. @@ -61,7 +61,7 @@ If these prerequisites have all been met, proceed to the next step to test the r You can visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only. -Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with. +Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you're encountering problems with. 1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run. @@ -69,19 +69,19 @@ Follow these instructions in [Use the demo tool to see how attack surface reduct 3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. -If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled. +If a rule isn't blocking a file or process that you're expecting it should block, first check if audit mode is enabled. Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed. -If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation: +If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation: -1. If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive). +1. If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive). -2. If the attack surface reduction rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions). +2. If the attack surface reduction rule isn't blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions). ## Add exclusions for a false positive -If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders. +If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders. To add an exclusion, see [Customize Attack surface reduction](customize-attack-surface-reduction.md). @@ -95,7 +95,7 @@ Use the [Windows Defender Security Intelligence web-based submission form](https ## Collect diagnostic data for file submissions -When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. +When you report a problem with attack surface reduction rules, you're asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. 1. Open an elevated command prompt and change to the Windows Defender directory: From 8d274b26124aa1bf9935770635ffc6ef49baa6cf Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 1 Feb 2021 19:06:40 +0200 Subject: [PATCH 15/15] Update troubleshoot-asr.md --- .../microsoft-defender-atp/troubleshoot-asr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md index dd95924a68..c25e934d20 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md @@ -109,7 +109,7 @@ When you report a problem with attack surface reduction rules, you're asked to c mpcmdrun -getfiles ``` -3. By default, they are saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form. +3. By default, they're saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form. ## Related articles