diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 4d655c96c4..1f9781187e 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -58,7 +58,7 @@ { "source_path": "devices/surface/manage-surface-pro-3-firmware-updates.md", "redirect_url": "https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates", -"redirect_document_id": true +"redirect_document_id": false }, { "source_path": "devices/surface/update.md", @@ -15577,6 +15577,11 @@ "redirect_document_id": false }, { +"source_path": "devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md", +"redirect_url": "/surface/manage-surface-driver-and-firmware-updates", +"redirect_document_id": true +}, +{ "source_path": "windows/deployment/planning/windows-10-1809-removed-features.md", "redirect_url": "https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features", "redirect_document_id": false diff --git a/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md b/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md index 27232c758a..0031c6792e 100644 --- a/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md +++ b/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md @@ -8,12 +8,12 @@ ms.author: ramakoni ms.reviewer: ramakoni, DEV_Triage ms.prod: internet-explorer ms.technology: -ms.topic: troubleshooting +ms.topic: kb-support ms.custom: CI=111020 ms.localizationpriority: Normal # localization_priority: medium # ms.translationtype: MT -ms.date: 01/22/2020 +ms.date: 01/23/2020 --- # How to clear Internet Explorer cache by using the command line diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.md b/browsers/internet-explorer/kb-support/ie-edge-faqs.md index 18643175f9..ef07a2a337 100644 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.md +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.md @@ -8,12 +8,12 @@ ms.author: ramakoni ms.reviewer: ramakoni, DEV_Triage ms.prod: internet-explorer ms.technology: -ms.topic: troubleshooting +ms.topic: kb-support ms.custom: CI=111020 ms.localizationpriority: Normal # localization_priority: medium # ms.translationtype: MT -ms.date: 01/22/2020 +ms.date: 01/23/2020 --- # Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index bc26815d56..faefd0d8fc 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -28,7 +28,7 @@ ### [Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md) ### [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md) ### [Surface Pro X app compatibility](surface-pro-arm-app-performance.md) -### [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) +### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) ### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md) ### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md) ### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) @@ -40,13 +40,14 @@ ## Manage +### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) ### [Optimize Wi-Fi connectivity for Surface devices](surface-wireless-connect.md) ### [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) ### [Surface Dock Firmware Update](surface-dock-firmware-update.md) ### [Battery Limit setting](battery-limit.md) ### [Surface Brightness Control](microsoft-surface-brightness-control.md) ### [Surface Asset Tag](assettag.md) -### [Manage Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) + ## Secure ### [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md) diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index ebbb3fc3b5..f99bfa549c 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -18,6 +18,12 @@ ms.date: 10/21/2019 This topic lists new and updated topics in the Surface documentation library. +## January 2020 +| **New or changed topic** | **Description** | +| ------------------------ | --------------- | +| [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)| Updated with the latest information and links to related articles.| + + ## October 2019 | **New or changed topic** | **Description** | @@ -37,7 +43,7 @@ This topic lists new and updated topics in the Surface documentation library. | **New or changed topic** | **Description** | | ------------------------ | --------------- | | [Optimizing wireless connectivity for Surface devices](surface-wireless-connect.md) | New document highlights key wireless connectivity considerations for Surface devices in mobile scenarios. | -| [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Updated to reflect minor changes in the file naming convention for Surface MSI files. | +| [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Updated to reflect minor changes in the file naming convention for Surface MSI files. | ## July 2019 @@ -76,14 +82,14 @@ New or changed topic | Description --- | --- [Surface Brightness Control](microsoft-surface-brightness-control.md) | New [Maintain optimal power settings on Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) | New -|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Studio 2 | +|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added Surface Studio 2 | ## November 2018 New or changed topic | Description --- | --- -|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Pro 6 | +|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added Surface Pro 6 | [Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) | New [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) | New [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) | New @@ -93,7 +99,7 @@ New or changed topic | Description New or changed topic | Description --- | --- [Battery Limit setting](battery-limit.md) | New -|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface GO | +|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added Surface GO | ## May 2018 @@ -121,7 +127,7 @@ New or changed topic | Description |New or changed topic | Description | | --- | --- | -|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Book 2, Surface Laptop, Surface Pro, and Surface Pro with LTE Advanced information | +|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added Surface Book 2, Surface Laptop, Surface Pro, and Surface Pro with LTE Advanced information | ## October 2017 @@ -160,7 +166,7 @@ New or changed topic | Description |New or changed topic | Description | | --- | --- | -|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added driver info for Surface Studio; updated info for Surface Book and Surface Pro 4 (Windows 10 .zip cumulative update), Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface 3 (UEFI Asset Tag management tool)| +|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added driver info for Surface Studio; updated info for Surface Book and Surface Pro 4 (Windows 10 .zip cumulative update), Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface 3 (UEFI Asset Tag management tool)| ## November 2016 diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md deleted file mode 100644 index 92527470f2..0000000000 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ /dev/null @@ -1,105 +0,0 @@ ---- -title: Deploy the latest firmware and drivers for Surface devices (Surface) -description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device. -ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A -ms.reviewer: dansimp -manager: kaushika -keywords: update Surface, newest, latest, download, firmware, driver, tablet, hardware, device -ms.localizationpriority: medium -ms.prod: w10 -ms.mktglfcycl: deploy -ms.pagetype: surface, devices -ms.sitesec: library -author: dansimp -ms.audience: itpro -ms.date: 11/25/2019 -ms.author: dansimp -ms.topic: article ---- - -# Deploy the latest firmware and drivers for Surface devices - -> **Home users:** This article is only intended for technical support agents and IT professionals, and applies only to Surface devices. If you're looking for help to install Surface updates or firmware on a home device, please see [Update Surface firmware and Windows 10](https://support.microsoft.com/help/4023505). - -Under typical conditions, Windows Update automatically keeps Windows Surface devices up-to-date by downloading and installing the latest device drivers and firmware. However, you may sometimes have to download and install updates manually. For example, you may have to manually manage updates when you deploy a new version of Windows. - -## Downloading MSI files - -[Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface) provides links to download installation files for the following: - -- Administrative tools -- Drivers for accessories -- For some devices, updates for Windows - -## Deploying MSI files - -Specific versions of Windows 10 have separate MSI files. Each MSI file contains all required cumulative driver and firmware updates for Surface devices. - -The MSI file names contain useful information, including the minimum supported Windows build number that is required to install the drivers and firmware. For example, to install the drivers that are contained in SurfaceBook_Win10_17763_19.080.2031.0.msi on a Surface Book, the device must be running Windows 10 Fall Creators Update, version 1709 or later. - -For more information about build numbers for each Windows version, see [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information). - -### Surface MSI naming convention - -Beginning in August, 2019, MSI files have used the following naming convention: - -> *Product*\_*Windows release*\_*Windows build number*\_*Version number*\_*Revision of version number (typically zero)*. - -**Example** - -Consider the following MSI file: - -> SurfacePro6_Win10_18362_19.073.44195_0.msi - -This file name provides the following information: - -- **Product:** SurfacePro6 -- **Windows release:** Win10 -- **Build:** 18362 -- **Version:** 19.073.44195 – This shows the date and time that the file was created, as follows: - - **Year:** 19 (2019) - - **Month and week:** 073 (third week of July) - - **Minute of the month:** 44195 -- **Revision of version:** 0 (first release of this version) - -### Legacy Surface MSI naming convention - -Legacy MSI files (files that were built before August, 2019) followed the same overall naming formula, but used a different method to derive the version number. - -**Example** - -Consider the following MSI file: - -> SurfacePro6_Win10_16299_1900307_0.msi - -This file name provides the following information: - -- **Product:** SurfacePro6 -- **Windows release:** Win10 -- **Build:** 16299 -- **Version:** 1900307 – This shows the date that the file was created and its position in the release sequence, as follows: - - **Year:** 19 (2019) - - **Number of release:** 003 (third release of the year) - - **Product version number:** 07 (Surface Pro 6 is officially the seventh version of Surface Pro) -- **Revision of version:** 0 (first release of this version) - -Use the **version** number to determine the latest files that contain the most recent security updates. For example, consider the following list: - -- SurfacePro6_Win10_16299_1900307_0.msi -- SurfacePro6_Win10_17134_1808507_3.msi -- SurfacePro6_Win10_17763_1808707_3.msi - -In this list, the newest file is the first file (SurfacePro6_Win10_16299_1900307_0.msi). Its **Version** field has the newest date (2019). The other files are from 2018. - -## Supported devices - -For downloadable MSI files for devices that run Surface Pro 2 and later versions, see [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface). This article contains information about MSI files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3, as they are released. - -> [!NOTE] -> There are no downloadable firmware or driver updates available for Surface devices that run Windows RT, including Surface RT and Surface 2. To update these devices, use Windows Update. - -For more information about how to deploy Surface drivers and firmware, see the following articles: - -- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates) - -- [Surface for Business help](https://www.microsoft.com/surface/support/business) diff --git a/devices/surface/get-started.md b/devices/surface/get-started.md index af2bc13af9..c81e994d70 100644 --- a/devices/surface/get-started.md +++ b/devices/surface/get-started.md @@ -46,9 +46,10 @@ Harness the power of Surface, Windows, and Office connected together through the

Deploy

+

Manage and deploy Surface driver and firmware updates

Autopilot and Surface devices

Deploying, managing, and servicing Surface Pro X

-

Deploy the latest firmware and drivers

+
diff --git a/devices/surface/images/fig1-downloads-msi.png b/devices/surface/images/fig1-downloads-msi.png new file mode 100644 index 0000000000..4d8b1410ff Binary files /dev/null and b/devices/surface/images/fig1-downloads-msi.png differ diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md index e43a14a63b..2631b5f837 100644 --- a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md +++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md @@ -28,12 +28,12 @@ low power idle state (S0ix). To ensure Surface devices across your organization fully benefit from Surface power optimization features: -- Install the latest drivers and firmware from Windows Update or the Surface Driver and Firmware MSI. This creates the balanced power plan (aka power profile) by default and configures optimal power settings. For more information, refer to [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md). +- Install the latest drivers and firmware from Windows Update or the Surface Driver and Firmware MSI. This creates the balanced power plan (aka power profile) by default and configures optimal power settings. For more information, refer to [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md). - Avoid creating custom power profiles or adjusting advanced power settings not visible in the default UI (**System** > **Power & sleep**). - If you must manage the power profile of devices across your network (such as in highly managed organizations), use the powercfg command tool to export the power plan from the factory image of the Surface device and then import it into the provisioning package for your Surface devices. ->[!NOTE] ->You can only export a power plan across the same type of Surface device. For example, you cannot export a power plan from Surface Laptop and import it on Surface Pro. For more information, refer to [Configure power settings](https://docs.microsoft.com/windows-hardware/customize/power-settings/configure-power-settings). + >[!NOTE] + >You can only export a power plan across the same type of Surface device. For example, you cannot export a power plan from Surface Laptop and import it on Surface Pro. For more information, refer to [Configure power settings](https://docs.microsoft.com/windows-hardware/customize/power-settings/configure-power-settings). - Exclude Surface devices from any existing power management policy settings. @@ -166,7 +166,7 @@ To learn more, see: | Check app usage | Your apps | Close apps.| | Check your power cord for any damage.| Your power cord | Replace power cord if worn or damaged.| -# Learn more +## Learn more - [Modern standby](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby-wake-sources) @@ -178,4 +178,4 @@ To learn more, see: - [Battery saver](https://docs.microsoft.com/windows-hardware/design/component-guidelines/battery-saver) -- [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) +- [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) diff --git a/devices/surface/manage-surface-driver-and-firmware-updates.md b/devices/surface/manage-surface-driver-and-firmware-updates.md index 7f470ab3ac..8bb23669ef 100644 --- a/devices/surface/manage-surface-driver-and-firmware-updates.md +++ b/devices/surface/manage-surface-driver-and-firmware-updates.md @@ -17,45 +17,40 @@ ms.audience: itpro ms.date: 10/21/2019 --- -# Manage Surface driver and firmware updates +# Manage and deploy Surface driver and firmware updates + -This article describes the available options that you can use to manage firmware and driver updates for Surface devices including Surface Pro 3 and later. - -To see a list of the available downloads for Surface devices and links to download the drivers and firmware for your device, see [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md). - -On Surface devices, the firmware is exposed to the operating system as a driver and is visible in Device Manager. This design allows a Surface device firmware to be automatically updated along with all drivers through Windows Update. This mechanism provides a seamless, automatic experience for receiving the latest firmware and driver updates. Although automatic updating is easy for end users, updating firmware and drivers automatically may not always be appropriate for organizations and businesses. In cases where you strictly manage updates or when you deploy a new operating system to a Surface device, automatic updates from Windows Update may not be appropriate. - -## Methods for deploying firmware - -Windows Update automatically provides firmware for computers that receive updates directly from Microsoft. However, in environments where Windows Server Update Services (WSUS) manages updates, Windows Update cannot update the firmware. For managed environments, there are a number of options you can use to deploy firmware updates. - -### Windows Update - -The simplest solution to ensure that firmware on Surface devices in your organization is kept up to date is to allow Surface devices to receive updates directly from Microsoft. You can implement this solution easily by excluding Surface devices from Group Policy that directs computers to receive updates from WSUS. - -Although this solution ensures that firmware will be updated as new releases are made available to Windows Update, it does present potential drawbacks. Each Surface device that receives updates from Windows Update downloads each update independently from Microsoft instead of accessing a central location. These operations increase demand on Internet connectivity and bandwidth. Additionally, such updates are not subjected to testing or review by administrators. - -For details about Group Policy for client configuration of WSUS or Windows Update, see [Step 4: Configure Group Policy Settings for Automatic Updates](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates). - -### Windows Installer Package - -Surface driver and firmware updates are packaged as Windows Installer (MSI) files. To deploy these Windows Installer packages, you can use application deployment utilities such as the Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager. Such solutions provide the means for administrators to test and review updates before deploying them, and to centralize deployment. For each device, it is important to select the correct MSI file for the device and its operating system. For more information see [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md). - -For instructions on how to deploy updates by using Endpoint Configuration Manager (formerly System Center Configuration Manager), refer to [Deploy applications with Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications). For instructions on how to deploy updates by using MDT, see [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt). +How you manage Surface driver and firmware updates varies depending on your environment and organizational requirements. On Surface devices, firmware is exposed to the operating system as a driver and is visible in Device Manager, enabling device firmware and drivers to be automatically updated using Windows Update or Windows Update for Business. Although this simplified approach may be feasible for startups and small or medium-sized businesses, larger organizations typically need IT admins to distributing updates internally. This may involve comprehensive planning, application compatibility testing, piloting and validating updates, before final approval and distribution across the network. > [!NOTE] -> You can deploy applications separately from an operating system deployment through MDT by using a Post OS Installation task sequence. +> This article is intended for technical support agents and IT professionals and applies to Surface devices only. If you're looking for help to install Surface updates or firmware on a home device, see [Update Surface firmware and Windows 10](https://support.microsoft.com/help/4023505). + +While enterprise-grade software distribution solutions continue to evolve, the business rationale for centrally managing updates remains the same: Maintain the security of Surface devices and keep them updated with the latest operating system and feature improvements. This is essential for maintaining the stability of your production environment and enabling users to stay productive. This article provides an overview of recommended tools and processes for larger organizations to accomplish these goals. -### Microsoft System Center Configuration Manager +## Central update management in commercial environments -Starting in Microsoft System Center Configuration Manager version 1710, you can synchronize and deploy Microsoft Surface firmware and driver updates by using the Configuration Manager client. The process resembles that for deploying regular updates. For additional information, see KB 4098906, [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager). +Microsoft has streamlined tools for managing devices – including driver and firmware updates -- into a single unified experience called [Microsoft Endpoint Manager admin center](https://devicemanagement.microsoft.com/) accessed from devicemanagement.microsoft.com. -## Considerations when deploying updates and operating systems together +### Manage updates with Endpoint Configuration Manager and Intune -The process of deploying firmware updates during an operating system deployment is straightforward. You can import the firmware and driver pack into either System Center Configuration Manager or MDT, and use them to deploy a fully updated environment to a target Surface device, complete with firmware. For a complete step-by-step guide to using MDT to deploy Windows to a Surface device, see [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](deploy-windows-10-to-surface-devices-with-mdt.md). +Endpoint Configuration Manager (formerly System Center Configuration Manager) allows you to synchronize and deploy Surface firmware and driver updates with the Configuration Manager client. Integration with Microsoft Intune lets you see all your managed, co-managed and partner-managed devices in one place. This is the recommended solution for large organizations to manage Surface updates. + +For detailed steps, see the following resources: -> [!IMPORTANT] -> Select the correct MSI file for each specific device and its operating system. For more information, see [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md). +- [How to manage Surface driver updates in Configuration Manager.](https://support.microsoft.com/en-sg/help/4098906/manage-surface-driver-updates-in-configuration-manager) +- [Deploy applications with Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications). +- [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/) + + +### Manage updates with Microsoft Deployment Toolkit + +Included in Endpoint Configuration Manager, the Microsoft Deployment Toolkit (MDT) contains optional deployment tools that you may wish to use depending on your environment. MDT includes the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), and User State Migration Tool (USMT). You can download the latest version of MDT from the [Microsoft Deployment Toolkit download page](https://www.microsoft.com/download/details.aspx?id=54259). + +For detailed steps, see the following resources: + +- [Microsoft Deployment Toolkit documentation](https://docs.microsoft.com/configmgr/mdt/) +- [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit) +- [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](https://docs.microsoft.com/surface/deploy-windows-10-to-surface-devices-with-mdt) **WindowsPE and Surface firmware and drivers** @@ -63,3 +58,93 @@ System Center Configuration Manager and MDT both use the Windows Preinstallation ## Supported devices Downloadable MSI files are available for Surface devices from Surface Pro 2 and later. Information about MSI files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release. + + +## Managing firmware with DFCI +With Device Firmware Configuration Interface (DFCI) profiles built into Intune (now available in [public preview](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows)), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. For more information, see: + + +- [Intune management of Surface UEFI settings](https://docs.microsoft.com/surface/surface-manage-dfci-guide) +- [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333). + +## Best practices for update deployment processes + +To maintain a stable environment and keep users productive, it’s strongly recommended to maintain parity with the most recent version of Windows 10. For best practice recommendations, see [Build deployment rings for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). + +## Downloadable Surface update packages + +Specific versions of Windows 10 have separate .msi files, each containing all required cumulative driver and firmware updates for Surface devices. Update packages may include some or all of the following components: + +- Wi-Fi and LTE +- Video +- Solid state drive +- System aggregator module (SAM) +- Battery +- Keyboard controller +- Embedded controller (EC) +- Management engine (ME) +- Unified extensible firmware interface (UEFI) + + +### Downloading .msi files +1. Browse to [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware) on the Microsoft Download Center. +2. Select the .msi file name that matches the Surface model and version of Windows. The .msi file name includes the minimum supported Windows build number required to install the drivers and firmware. For example, as shown in the following figure, to update a Surface Book 2 with build 18362 of Windows 10, choose **SurfaceBook2_Win10_18362_19.101.13994.msi.** For a Surface Book 2 with build 16299 of Windows 10, choose **SurfaceBook2_Win10_16299_1803509_3. msi**. + + ![Figure 1. Downloading Surface updates](images/fig1-downloads-msi.png) + +*Figure 1. Downloading Surface updates* + + +### Surface .msi naming convention +Since August 2019, .msi files have used the following naming convention: + +- *Product*_*Windows release*_*Windows build number*_*Version number*_*Revision of version number (typically zero)*. + +**Example** + +- SurfacePro6_Win10_18362_19.073.44195_0.msi + +This file name provides the following information: + +- **Product:** SurfacePro6 +- **Windows release:** Win10 +- **Build:** 18362 +- **Version:** 19.073.44195 – This shows the date and time that the file was created, as follows: + - **Year:** 19 (2019) + - **Month and week:** 073 (third week of July) + - **Minute of the month:** 44195 +- **Revision of version:** 0 (first release of this version) + +### Legacy Surface .msi naming convention +Legacy .msi files (files built before August 2019) followed the same overall naming formula but used a different method to derive the version number. + **** +**Example** + +- SurfacePro6_Win10_16299_1900307_0.msi + +This file name provides the following information: + +- **Product:** SurfacePro6 +- **Windows release:** Win10 +- **Build:** 16299 +- **Version:** 1900307 – This shows the date that the file was created and its position in the release sequence, as follows: + - **Year:** 19 (2019) + - **Number of release:** 003 (third release of the year) + - **Product version number:** 07 (Surface Pro 6 is officially the seventh version of Surface Pro) +- **Revision of version:** 0 (first release of this version) + + + +## Learn more + +- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware) +- [How to manage Surface driver updates in Configuration Manager.](https://support.microsoft.com/en-sg/help/4098906/manage-surface-driver-updates-in-configuration-manager) +- [Deploy applications with Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications). +- [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/) +- [Microsoft Deployment Toolkit documentation](https://docs.microsoft.com/configmgr/mdt/) +- [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit) +- [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](https://docs.microsoft.com/surface/deploy-windows-10-to-surface-devices-with-mdt) +- [Intune management of Surface UEFI settings](https://docs.microsoft.com/surface/surface-manage-dfci-guide) +- [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333). +- [Build deployment rings for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) + diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md index 7fbd031cf5..8fbc32d7df 100644 --- a/devices/surface/microsoft-surface-deployment-accelerator.md +++ b/devices/surface/microsoft-surface-deployment-accelerator.md @@ -80,7 +80,7 @@ For environments where the SDA server will not be able to connect to the Interne *Figure 2. Specify a local source for Surface driver and app files* -You can find a full list of available driver downloads at [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) +You can find a full list of available driver downloads at [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) >[!NOTE] >Downloaded files do not need to be extracted. The downloaded files can be left as .zip files as long as they are stored in one folder. diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md index c5869a15d4..fd98f72368 100644 --- a/devices/surface/surface-pro-arm-app-management.md +++ b/devices/surface/surface-pro-arm-app-management.md @@ -73,7 +73,7 @@ Surface Pro X was designed to use Windows Update to simplify the process of keep - Use Windows Update or Windows Update for Business for maintaining the latest drivers and firmware. For more information, see [Deploy Updates using Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). - If your procedures require using a Windows Installer .msi file, contact [Surface for Business support](https://support.microsoft.com/help/4037645). -- For more information about deploying and managing updates on Surface devices, see [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md). +- For more information about deploying and managing updates on Surface devices, see [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md). - Note that Windows Server Update Services (WSUS) does not support the ability to deliver drivers and firmware to Surface Pro X. ## Running apps on Surface Pro X diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 5a4fd15cf0..121f28dad6 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -1,11 +1,13 @@ --- title: ApplicationControl CSP description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from a MDM server. +keywords: whitelisting, security, malware ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows author: ManikaDhiman +ms.reviewer: jsuther1974 ms.date: 05/21/2019 --- @@ -61,7 +63,8 @@ This node specifies whether a policy is actually loaded by the enforcement engin Scope is dynamic. Supported operation is Get. -Value type is bool. Supported values are as follows: +Value type is bool. Supported values are as follows: + - True — Indicates that the policy is actually loaded by the enforcement engine and is in effect on a system. - False — Indicates that the policy is not loaded by the enforcement engine and is not in effect on a system. This is the default. @@ -70,7 +73,8 @@ This node specifies whether a policy is deployed on the system and is present on Scope is dynamic. Supported operation is Get. -Value type is bool. Supported values are as follows: +Value type is bool. Supported values are as follows: + - True — Indicates that the policy is deployed on the system and is present on the physical machine. - False — Indicates that the policy is not deployed on the system and is not present on the physical machine. This is the default. @@ -79,7 +83,8 @@ This node specifies whether the policy is authorized to be loaded by the enforce Scope is dynamic. Supported operation is Get. -Value type is bool. Supported values are as follows: +Value type is bool. Supported values are as follows: + - True — Indicates that the policy is authorized to be loaded by the enforcement engine on the system. - False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default. @@ -112,24 +117,43 @@ Scope is dynamic. Supported operation is Get. Value type is char. -## Usage guidance +## Microsoft Endpoint Manager (MEM) Intune Usage Guidance -To use ApplicationControl CSP, you must: -- Know a generated policy’s GUID, which can be found in the policy xml as ``. -- Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. +For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) -If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy via uploading the binary file. +## Non-Intune Usage Guidance + +In order to leverage the ApplicationControl CSP without using Intune, you must: + +1. Know a generated policy’s GUID, which can be found in the policy xml as or for pre-1903 systems. +2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. +3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool. + +Below is a sample certutil invocation: + +```cmd +certutil -encode WinSiPolicy.p7b WinSiPolicy.cer +``` + +An alternative to using certutil would be to use the following PowerShell invocation: + +```powershell +[Convert]::toBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path )) +``` + +### Deploy Policies -### Deploy policies To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below. To deploy base policy and supplemental policies: -- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. -- Repeat for each base or supplemental policy (with its own GUID and data). + +1. Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. +2. Repeat for each base or supplemental policy (with its own GUID and data). The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD). -**Example 1: Add first base policy** +#### Example 1: Add first base policy + ```xml 1 @@ -144,7 +168,9 @@ The following example shows the deployment of two base policies and a supplement ``` -**Example 2: Add second base policy** + +#### Example 2: Add second base policy + ```xml 1 @@ -159,7 +185,9 @@ The following example shows the deployment of two base policies and a supplement ``` -**Example 3: Add supplemental policy** + +#### Example 3: Add supplemental policy + ```xml 1 @@ -174,6 +202,7 @@ The following example shows the deployment of two base policies and a supplement ``` + ### Get policies Perform a GET using a deployed policy’s GUID to interrogate/inspect the policy itself or information about it. @@ -190,7 +219,8 @@ The following table displays the result of Get operation on different nodes: |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status|Was the deployment successful| |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName|Friendly name per the policy| -The following is an example of Get command: +The following is an example of Get command: + ```xml 1 @@ -203,17 +233,28 @@ The following is an example of Get command: ``` ### Delete policies + +#### Rebootless Deletion + +Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot. + +#### Unsigned Policies + To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy**. -> [!Note] -> Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy. - +#### Signed Policies + +> [!NOTE] +> A signed policy by default can only be replaced by another signed policy. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy. + To delete a signed policy: + 1. Replace it with a signed update allowing unsigned policy. -2. Deploy another update with unsigned policy. +2. Deploy another update with unsigned Allow All policy. 3. Perform delete. - + The following is an example of Delete command: + ```xml 1 diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index e8fdb8a2c2..45520df78e 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -28,7 +28,7 @@ Windows Autopilot user-driven mode is designed to enable new Windows 10 devices After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be suppressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available. -Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. +Today, Windows Autopilot user-driven mode supports Azure Active Directory and Hybrid Azure Active Directory joined devices. See [What is a device identity](https://docs.microsoft.com/azure/active-directory/devices/overview) for more information about these two join options. ## Available user-driven modes diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index 19a71f5d22..b93eba2709 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -36,6 +36,9 @@ Windows Autopilot depends on specific capabilities available in Windows 10, Azur - Windows 10 Education - Windows 10 Enterprise 2019 LTSC +>[!NOTE] +>Procedures for deploying Windows Autopilot might refer to specific products and versions. The inclusion of these products in this content doesn't imply an extension of support for a version that is beyond its support lifecycle. Windows Autopilot does not support products that are beyond their support lifecycle. For more information, see [Microsoft Lifecycle Policy](https://go.microsoft.com/fwlink/p/?LinkId=208270). + ## Networking requirements Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following: diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml index f6f7b30864..0554cb4e28 100644 --- a/windows/release-information/resolved-issues-windows-10-1903.yml +++ b/windows/release-information/resolved-issues-windows-10-1903.yml @@ -37,7 +37,6 @@ sections:
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved External
November 15, 2019
05:59 PM PT
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive error code 0x80073701.

See details >OS Build 18362.145

May 29, 2019
KB4497935Resolved
November 12, 2019
08:11 AM PT
Intel Audio displays an intcdaud.sys notification
Devices with a range of Intel Display Audio device drivers may experience battery drain.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved External
November 12, 2019
08:04 AM PT -
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4505903July 26, 2019
02:00 PM PT
Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
Microsoft has identified compatibility issues with some versions of Qualcomm Bluetooth radio drivers.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4517389October 08, 2019
10:00 AM PT
Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.

See details >N/A

Resolved
KB4522355October 24, 2019
10:00 AM PT
dGPU occasionally disappear from device manager on Surface Book 2
Some apps or games may close or fail to open on Surface Book 2 devices with Nvidia dGPU.

See details >OS Build 18362.145

May 29, 2019
KB4497935Resolved
October 18, 2019
04:33 PM PT @@ -54,8 +53,6 @@ sections:
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start on devices in which the operating system language was changed between updates.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4512941August 30, 2019
10:00 AM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >OS Build 18362.175

June 11, 2019
KB4503293Resolved
KB4512941August 30, 2019
10:00 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >OS Build 18362.175

June 11, 2019
KB4503293Resolved External
August 09, 2019
07:03 PM PT -
Display brightness may not respond to adjustments
Devices configured with certain Intel display drivers may experience a driver compatibility issue.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4505903July 26, 2019
02:00 PM PT -
RASMAN service may stop working and result in the error “0xc0000005”
The RASMAN service may stop working with VPN profiles configured as an Always On VPN connection.

See details >OS Build 18362.145

May 29, 2019
KB4497935Resolved
KB4505903July 26, 2019
02:00 PM PT " @@ -116,15 +113,6 @@ sections: " -- title: June 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0. You may also receive an error in the Application section of Windows Logs in Event Viewer with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.

This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.

Affected platforms
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
KB4505903		Resolved:
July 26, 2019
02:00 PM PT

Opened:
June 28, 2019
05:01 PM PT
- " - - title: May 2019 - items: - type: markdown @@ -133,8 +121,6 @@ sections:
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
Resolution: This issue was resolved with an updated Qualcomm Wifi driver and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved External
Last updated:
November 22, 2019
04:10 PM PT

Opened:
May 21, 2019
07:13 AM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
  • Server: Windows 10, version 1909; Windows Server, version 1903
Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved External
Last updated:
November 15, 2019
05:59 PM PT

Opened:
May 21, 2019
07:29 AM PT
Intel Audio displays an intcdaud.sys notification
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
  
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809
Resolution: This issue was resolved with updated drivers from your device manufacturer (OEM) or Intel. The safeguard hold has been removed.

Note If you are still experiencing the issue described, please contact your device manufacturer (OEM).

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved External
Last updated:
November 12, 2019
08:04 AM PT

Opened:
May 21, 2019
07:22 AM PT -
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
  • Connecting to (or disconnecting from) an external monitor, dock, or projector
  • Rotating the screen
  • Updating display drivers or making other display mode changes
  • Closing full screen applications
  • Applying custom color profiles
  • Running applications that rely on custom gamma ramps
Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4505903Resolved:
July 26, 2019
02:00 PM PT

Opened:
May 21, 2019
07:28 AM PT
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4512941.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4512941Resolved:
August 30, 2019
10:00 AM PT

Opened:
May 24, 2019
04:20 PM PT -
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.

To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4505903Resolved:
July 26, 2019
02:00 PM PT

Opened:
May 21, 2019
07:56 AM PT " diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml index f88f58ac4c..a5cd7e2724 100644 --- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml @@ -60,7 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- + @@ -79,7 +79,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
Custom wallpaper displays as black
Using a custom image set to \"Stretch\" might not display as expected.

See details >		January 14, 2020
KB4534310		Mitigated
January 24, 2020
09:15 AM PT
Custom wallpaper displays as black
Using a custom image set to \"Stretch\" might not display as expected.

See details >		January 14, 2020
KB4534310		Mitigated
January 27, 2020
12:27 PM PT
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.

See details >
Resolved
January 23, 2020
02:08 PM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		October 08, 2019
KB4519976		Mitigated External
November 05, 2019
03:36 PM PT
IA64 and x64 devices may fail to start after installing updates
After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.

See details >		August 13, 2019
KB4512506		Mitigated
August 17, 2019
12:59 PM PT
- +
DetailsOriginating updateStatusHistory
Custom wallpaper displays as black
After installing KB4534310, your desktop wallpaper when set to \"Stretch\" might display as black.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1
Workaround: To mitigate the issue, you can do one of the following:
  • Set your custom image to an option other than \"Stretch\", such as “Fill”, “Fit”, “Tile”, or “Center”, or
  • Choose a custom wallpaper that matches the resolution of your desktop.
Next steps: We are working on a resolution and estimate a solution will be available in mid-February for organizations who have purchased Windows 7 Extended Security Updates (ESU).

Back to top		January 14, 2020
KB4534310		Mitigated
Last updated:
January 24, 2020
09:15 AM PT

Opened:
January 24, 2020
09:15 AM PT
Custom wallpaper displays as black
After installing KB4534310, your desktop wallpaper when set to \"Stretch\" might display as black.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1
Workaround: To mitigate the issue, you can do one of the following:
  • Set your custom image to an option other than \"Stretch\", such as “Fill”, “Fit”, “Tile”, or “Center”, or
  • Choose a custom wallpaper that matches the resolution of your desktop.
Next steps: We are working on a resolution and estimate a solution will be available mid-February, which will be released to all customers running Windows 7 and Windows Server 2008 R2 SP1.

Back to top		January 14, 2020
KB4534310		Mitigated
Last updated:
January 27, 2020
12:27 PM PT

Opened:
January 24, 2020
09:15 AM PT
" diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index 671d2a1748..7cd86d392d 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -50,6 +50,7 @@ sections: text: " + diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 6bd34daec8..e37e6d8711 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -34,8 +34,11 @@ #### [Web protection]() ##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md) -##### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md) -##### [Respond to web threats](microsoft-defender-atp/web-protection-response.md) +##### [Web threat protection]() +###### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md) +###### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md) +###### [Respond to web threats](microsoft-defender-atp/web-protection-response.md) +##### [Web content filtering](microsoft-defender-atp/web-content-filtering.md) #### [Controlled folder access](microsoft-defender-atp/controlled-folders.md) #### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md) @@ -400,6 +403,9 @@ ####### [Get machine by ID](microsoft-defender-atp/get-machine-by-id.md) ####### [Get machine log on users](microsoft-defender-atp/get-machine-log-on-users.md) ####### [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts.md) +####### [Get installed software](microsoft-defender-atp/get-installed-software.md) +####### [Get discovered vulnerabilities](microsoft-defender-atp/get-discovered-vulnerabilities.md) +####### [Get security recommendation](microsoft-defender-atp/get-security-recommendations.md) ####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md) ####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md) @@ -450,6 +456,34 @@ ####### [Get user related alerts](microsoft-defender-atp/get-user-related-alerts.md) ####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md) +###### [Score]() +####### [Score methods and properties](microsoft-defender-atp/score.md) +####### [List exposure score by machine group](microsoft-defender-atp/get-machine-group-exposure-score.md) +####### [Get exposure score](microsoft-defender-atp/get-exposure-score.md) +####### [Get device secure score](microsoft-defender-atp/get-device-secure-score.md) + +###### [Software]() +####### [Software methods and properties](microsoft-defender-atp/software.md) +####### [List software](microsoft-defender-atp/get-software.md) +####### [Get software by Id](microsoft-defender-atp/get-software-by-id.md) +####### [List software version distribution](microsoft-defender-atp/get-software-ver-distribution.md) +####### [List machines by software](microsoft-defender-atp/get-machines-by-software.md) +####### [List vulnerabilities by software](microsoft-defender-atp/get-vuln-by-software.md) + +###### [Vulnerability]() +####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md) +####### [Get all vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md) +####### [Get vulnerability by Id](microsoft-defender-atp/get-vulnerability-by-id.md) +####### [List machines by vulnerability](microsoft-defender-atp/get-machines-by-vulnerability.md) + +###### [Recommendation]() +####### [Recommendation methods and properties](microsoft-defender-atp/recommendation.md) +####### [List all recommendations](microsoft-defender-atp/get-all-recommendations.md) +####### [Get recommendation by Id](microsoft-defender-atp/get-recommendation-by-id.md) +####### [Get recommendation by software](microsoft-defender-atp/get-recommendation-software.md) +####### [Get recommendation by machines](microsoft-defender-atp/get-recommendation-machines.md) +####### [Get recommendation by vulnerabilities](microsoft-defender-atp/get-recommendation-vulnerabilities.md) + ##### [How to use APIs - Samples]() ###### [Microsoft Flow](microsoft-defender-atp/api-microsoft-flow.md) ###### [Power BI](microsoft-defender-atp/api-power-bi.md) @@ -457,11 +491,18 @@ ###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md) ###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md) +#### [Windows updates (KB) info]() +##### [Get KbInfo collection](microsoft-defender-atp/get-kbinfo-collection.md) + +#### [Common Vulnerabilities and Exposures (CVE) to KB map]() +##### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md) + +#### [Pull detections to your SIEM tools]() #### [Raw data streaming API]() ##### [Raw data streaming (preview)](microsoft-defender-atp/raw-data-export.md) ##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md) ##### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md) - + #### [SIEM integration]() ##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 698e0aeb8d..162531b03e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -118,7 +118,7 @@ If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP ## Microsoft Defender ATP service backend IP range -If you network devices don't support the URLs white-listed in the prior section, you can use the following information. +If your network devices don't support the URLs white-listed in the prior section, you can use the following information. Microsoft Defender ATP is built on Azure cloud, deployed in the following regions: diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md index c91de23386..8c836888bb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md @@ -57,6 +57,10 @@ Machines | Run API calls such as get machines, get machines by ID, information a Machine Actions | Run API call such as Isolation, Run anti-virus scan and more. Indicators | Run API call such as create Indicator, get Indicators and delete Indicators. Users | Run API calls such as get user related alerts and user related machines. +Score | Run API calls such as get exposure score or get device secure score. +Software | Run API calls such as list vulnerabilities by software. +Vulnerability | Run API calls such as list machines by vulnerability. +Recommendation | Run API calls such as Get recommendation by Id. ## Related topic - [Microsoft Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md new file mode 100644 index 0000000000..34c6863e7d --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md @@ -0,0 +1,104 @@ +--- +title: List all recommendations +description: Retrieves a list of all security recommendations affecting the organization. +keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# List all recommendations +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieves a list of all security recommendations affecting the organization. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information' +Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information' + +## HTTP request +``` +GET /api/recommendations +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK with the list of security recommendations in the body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/recommendations +``` + +**Response** + +Here is an example of the response. + + +``` +Content-type: json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations", + "value": [ + { + "id": "va-_-microsoft-_-windows_10", + "productName": "windows_10", + "recommendationName": "Update Windows 10", + "weaknesses": 397, + "vendor": "microsoft", + "recommendedVersion": "", + "recommendationCategory": "Application", + "subCategory": "", + "severityScore": 0, + "publicExploit": true, + "activeAlert": false, + "associatedThreats": [ + "3098b8ef-23b1-46b3-aed4-499e1928f9ed", + "40c189d5-0330-4654-a816-e48c2b7f9c4b", + "4b0c9702-9b6c-4ca2-9d02-1556869f56f8", + "e8fc2121-3cf3-4dd2-9ea0-87d7e1d2b29d", + "94b6e94b-0c1d-4817-ac06-c3b8639be3ab" + ], + "remediationType": "Update", + "status": "Active", + "configScoreImpact": 0, + "exposureImpact": 7.674418604651163, + "totalMachineCount": 37, + "exposedMachinesCount": 7, + "nonProductivityImpactedAssets": 0, + "relatedComponent": "Windows 10" + }, +… +} +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md new file mode 100644 index 0000000000..01869cd89b --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md @@ -0,0 +1,92 @@ +--- +title: Get all vulnerabilities +description: Retrieves a list of all the vulnerabilities affecting the organization +keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Get all vulnerabilities +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieves a list of all the vulnerabilities affecting the organization. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information' +Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information' + +## HTTP request +``` +GET /api/vulnerabilities +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK with the list of vulnerabilities in the body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/Vulnerabilities +``` + +**Response** + +Here is an example of the response. + + +``` +Content-type: json +{ + "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities", + "value": [ + { + "id": "CVE-2019-0608", + "name": "CVE-2019-0608", + "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.", + "severity": "Medium", + "cvssV3": 4.3, + "exposedMachines": 4, + "publishedOn": "2019-10-08T00:00:00Z", + "updatedOn": "2019-12-16T16:20:00Z", + "publicExploit": false, + "exploitVerified": false, + "exploitInKit": false, + "exploitTypes": [], + "exploitUris": [] + }, + { +.. +} +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md new file mode 100644 index 0000000000..dfd844de6b --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md @@ -0,0 +1,84 @@ +--- +title: Get Device Secure score +description: Retrieves the organizational device secure score. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Get Device Secure score + +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieves the organizational device secure score. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Score.Read.Alll | 'Read Threat and Vulnerability Management score' +Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score' + +## HTTP request +``` +GET /api/configurationScore +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK, with the with device secure score data in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/configurationScore +``` + +**Response** + +Here is an example of the response. + +>[!NOTE] +>The response list shown here may be truncated for brevity. + + +```json +{ + "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity", + "time": "2019-12-03T09:15:58.1665846Z", + "score": 340, + "rbacGroupId": null +} +``` + +## Related topics +- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md new file mode 100644 index 0000000000..e20da5c5b7 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md @@ -0,0 +1,89 @@ +--- +title: Get discovered vulnerabilities +description: Retrieves a collection of discovered vulnerabilities related to a given machine ID. +keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Get discovered vulnerabilities +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieves a collection of discovered vulnerabilities related to a given machine ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information' +Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information' + +## HTTP request +``` +GET /api/machines/{machineId}/vulnerabilities +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK with the discovered vulnerability information in the body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities +``` + +**Response** + +Here is an example of the response. + + +``` +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", + "value": [ + { + "id": "CVE-2019-1348", + "name": "CVE-2019-1348", + "description": "Git could allow a remote attacker to bypass security restrictions, caused by a flaw in the --export-marks option of git fast-import. By persuading a victim to import specially-crafted content, an attacker could exploit this vulnerability to overwrite arbitrary paths.", + "severity": "Medium", + "cvssV3": 4.3, + "exposedMachines": 1, + "publishedOn": "2019-12-13T00:00:00Z", + "updatedOn": "2019-12-13T00:00:00Z", + "publicExploit": false, + "exploitVerified": false, + "exploitInKit": false, + "exploitTypes": [], + "exploitUris": [] + } +} +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md new file mode 100644 index 0000000000..389758df52 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md @@ -0,0 +1,86 @@ +--- +title: Get exposure score +description: Retrieves the organizational exposure score. +keywords: apis, graph api, supported apis, get, exposure score, organizational exposure score +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Get exposure score + +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieves the organizational exposure score. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Score.Read.All | 'Read Threat and Vulnerability Management score' +Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score' + + +## HTTP request +``` +GET /api/exposureScore +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK, with the exposure data in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/exposureScore +``` + +**Response** + +Here is an example of the response. + +>[!NOTE] +>The response list shown here may be truncated for brevity. + + +```json +{ + "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity", + "time": "2019-12-03T07:23:53.280499Z", + "score": 33.491554051195706, + "rbacGroupId": null +} + +``` + +## Related topics +- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md new file mode 100644 index 0000000000..1b2a634eff --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md @@ -0,0 +1,85 @@ +--- +title: Get installed software +description: Retrieves a collection of installed software related to a given machine ID. +keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per machine, threat & vulnerability management api, mdatp tvm api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Get installed software +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieves a collection of installed software related to a given machine ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information' +Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information' + +## HTTP request +``` +GET /api/machines/{machineId}/software +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK with the installed software information in the body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software +``` + +**Response** + +Here is an example of the response. + + +``` +{ +"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software", +"value": [ + { +"id": "microsoft-_-internet_explorer", +"name": "internet_explorer", +"vendor": "microsoft", +"weaknesses": 67, +"publicExploit": true, +"activeAlert": false, +"exposedMachines": 42115, +"impactScore": 46.2037163 + } + ] +} +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md new file mode 100644 index 0000000000..5664ee56dd --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md @@ -0,0 +1,96 @@ +--- +title: List exposure score by machine group +description: Retrieves a list of exposure scores by machine group. +keywords: apis, graph api, supported apis, get, exposure score, machine group, machine group exposure score +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# List exposure score by machine group + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieves a collection of alerts related to a given domain address. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Score.Read.All | 'Read Threat and Vulnerability Management score' +Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score' + +## HTTP request +``` +GET /api/exposureScore/ByMachineGroups +``` + +## Request headers + +| Name | Type | Description +|:--------------|:-------|:--------------| +| Authorization | String | Bearer {token}.**Required**. + +## Request body +Empty + +## Response +If successful, this method returns 200 OK, with a list of exposure score per machine group data in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/exposureScore/ByMachineGroups +``` + +**Response** + +Here is an example of the response. + +```json + +{ + "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore", + "value": [ + { + "time": "2019-12-03T09:51:28.214338Z", + "score": 41.38041766305988, + "rbacGroupId": 10 + }, + { + "time": "2019-12-03T09:51:28.2143399Z", + "score": 37.403726933165366, + "rbacGroupId": 11 + }, + { + "time": "2019-12-03T09:51:28.2143407Z", + "score": 26.390921344426033, + "rbacGroupId": 9 + }, + { + "time": "2019-12-03T09:51:28.2143414Z", + "score": 23.58823563070858, + "rbacGroupId": 5 + } + ] +} +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md new file mode 100644 index 0000000000..dd922cae08 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md @@ -0,0 +1,89 @@ +--- +title: List machines by software +description: Retrieve a list of machines that has this software installed. +keywords: apis, graph api, supported apis, get, list machines, machines list, list machines by software, mdatp tvm api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# List machines by software + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieve a list of machines that has this software installed + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information' +Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information' + +## HTTP request +``` +GET /api/Software/{Id}/machineReferences +``` + +## Request headers + +| Name | Type | Description +|:--------------|:-------|:--------------| +| Authorization | String | Bearer {token}.**Required**. + +## Request body +Empty + +## Response +If successful, this method returns 200 OK and a list of machines with the software installed in the body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/machineReferences +``` + +**Response** + +Here is an example of the response. + +```json + +{ + "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#MachineReferences", + "value": [ + { + "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762", + "computerDnsName": "dave_desktop", + "osPlatform": "Windows10", + "rbacGroupId": 9 + }, + { + "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d", + "computerDnsName": "jane_PC", + "osPlatform": "Windows10", + "rbacGroupId": 9 + }, +… +} +``` + diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md new file mode 100644 index 0000000000..37a235d516 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md @@ -0,0 +1,88 @@ +--- +title: List machines by vulnerability +description: Retrieves a list of machines affected by a vulnerability. +keywords: apis, graph api, supported apis, get, machines list, vulnerable machines, mdatp tvm api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# List machines by vulnerability +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieves a list of machines affected by a vulnerability. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information' +Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information' + +## HTTP request +``` +GET /api/vulnerabilities/{cveId}/machineReferences +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK with the vulnerability information in the body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/machineReferences +``` + +**Response** + +Here is an example of the response. + + +``` +Content-type: json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences", + "value": [ + { + "id": "235a2e6278c63fcf85bab9c370396972c58843de", + "computerDnsName": "h1mkn_PC", + "osPlatform": "Windows10", + "rbacGroupId": 1268 + }, + { + "id": "afb3f807d1a185ac66668f493af028385bfca184", + "computerDnsName": "chat_Desk ", + "osPlatform": "Windows10", + "rbacGroupId": 410 + } + ] + } +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md new file mode 100644 index 0000000000..86f7eef853 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md @@ -0,0 +1,93 @@ +--- +title: Get recommendation by Id +description: Retrieves a security recommendation by its ID. +keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Get recommendation by ID +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieves a security recommendation by its ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information' +Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information' + +## HTTP request +``` +GET /api/recommendations/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK with the security recommendations in the body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome +``` + +**Response** + +Here is an example of the response. + +``` +Content-type: json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity", + "id": "va-_-google-_-chrome", + "productName": "chrome", + "recommendationName": "Update Chrome", + "weaknesses": 38, + "vendor": "google", + "recommendedVersion": "", + "recommendationCategory": "Application", + "subCategory": "", + "severityScore": 0, + "publicExploit": false, + "activeAlert": false, + "associatedThreats": [], + "remediationType": "Update", + "status": "Active", + "configScoreImpact": 0, + "exposureImpact": 3.9441860465116285, + "totalMachineCount": 6, + "exposedMachinesCount": 5, + "nonProductivityImpactedAssets": 0, + "relatedComponent": "Chrome" +} +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md new file mode 100644 index 0000000000..0060478641 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md @@ -0,0 +1,81 @@ +--- +title: Get recommendation by machines +description: Retrieves a list of machines associated with the security recommendation. +keywords: apis, graph api, supported apis, get, security recommendation for vulnerable machines, threat and vulnerability management, threat and vulnerability management api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Get recommendation by machines +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieves a list of machines associated with the security recommendation. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information' +Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information' + +## HTTP request +``` +GET /api/recommendations/{id}/machineReferences +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK with the list of machines associated with the security recommendation. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/machineReferences +``` + +**Response** + +Here is an example of the response. + +``` +Content-type: json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences", + "value": [ + { + "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee", + "computerDnsName": "niw_pc", + "osPlatform": "Windows10", + "rbacGroupId": 2154 + }, +… +} +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md new file mode 100644 index 0000000000..e8473ba5f8 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md @@ -0,0 +1,81 @@ +--- +title: Get recommendation by software +description: Retrieves a security recommendation related to a specific software. +keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Get recommendation by software +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieves a security recommendation related to a specific software. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information' +Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information' + +## HTTP request +``` +GET /api/recommendations/{id}/software +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK with the software associated with the security recommendations in the body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/software +``` + +**Response** + +Here is an example of the response. + +``` +Content-type: json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto", + "id": "google-_-chrome", + "name": "chrome", + "vendor": "google", + "weaknesses": 38, + "publicExploit": false, + "activeAlert": false, + "exposedMachines": 5, + "impactScore": 3.94418621 +} +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md new file mode 100644 index 0000000000..48f13ed4b9 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md @@ -0,0 +1,90 @@ +--- +title: Get recommendation by vulnerabilities +description: Retrieves a list of vulnerabilities associated with the security recommendation. +keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Get recommendation by vulnerabilities +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieves a list of vulnerabilities associated with the security recommendation. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information' +Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information' + +## HTTP request +``` +GET /api/recommendations/{id}/vulnerabilities +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK, with the list of vulnerabilities associated with the security recommendation. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/vulnerabilities +``` + +**Response** + +Here is an example of the response. + +``` +Content-type: json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", + "value": [ + { + "id": "CVE-2019-13748", + "name": "CVE-2019-13748", + "description": "Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted HTML page.", + "severity": "Medium", + "cvssV3": 6.5, + "exposedMachines": 0, + "publishedOn": "2019-12-10T00:00:00Z", + "updatedOn": "2019-12-16T12:15:00Z", + "publicExploit": false, + "exploitVerified": false, + "exploitInKit": false, + "exploitTypes": [], + "exploitUris": [] + }, +… +} +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md new file mode 100644 index 0000000000..4256ba1c8c --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md @@ -0,0 +1,97 @@ +--- +title: Get security recommendations +description: Retrieves a collection of security recommendations related to a given machine ID. +keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per machine, threat & vulnerability management api, mdatp tvm api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Get security recommendations +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieves a collection of security recommendations related to a given machine ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information' +Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information' + +## HTTP request +``` +GET /api/machines/{machineId}/recommendations +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK with the security recommendations in the body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations +``` + +**Response** + +Here is an example of the response. + + +``` +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations", + "value": [ + { + "id": "va-_-git-scm-_-git", + "productName": "git", + "recommendationName": "Update Git to version 2.24.1.2", + "weaknesses": 3, + "vendor": "git-scm", + "recommendedVersion": "2.24.1.2", + "recommendationCategory": "Application", + "subCategory": "", + "severityScore": 0, + "publicExploit": false, + "activeAlert": false, + "associatedThreats": [], + "remediationType": "Update", + "status": "Active", + "configScoreImpact": 0, + "exposureImpact": 0, + "totalMachineCount": 0, + "exposedMachinesCount": 1, + "nonProductivityImpactedAssets": 0, + "relatedComponent": "Git" + }, +… +} +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md new file mode 100644 index 0000000000..663bac6747 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md @@ -0,0 +1,83 @@ +--- +title: Get software by Id +description: Retrieves a list of exposure scores by machine group. +keywords: apis, graph api, supported apis, get, software, mdatp tvm api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Get software by Id + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieves software details by ID + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information' +Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information' + +## HTTP request +``` +GET /api/Software/{Id} +``` + +## Request headers + +| Name | Type | Description +|:--------------|:-------|:--------------| +| Authorization | String | Bearer {token}.**Required**. + +## Request body +Empty + +## Response +If successful, this method returns 200 OK with the specified software data in the body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge +``` + +**Response** + +Here is an example of the response. + +```json + +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software/$entity", + "id": "microsoft-_-edge", + "name": "edge", + "vendor": "microsoft", + "weaknesses": 467, + "publicExploit": true, + "activeAlert": false, + "exposedMachines": 172, + "impactScore": 2.39947438 +} +``` + diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md new file mode 100644 index 0000000000..39a3275bf2 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md @@ -0,0 +1,86 @@ +--- +title: List software version distribution +description: Retrieves a list of your organization's software version distribution +keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# List software version distribution + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieves a list of your organization's software version distribution + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information' +Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information' + +## HTTP request +``` +GET /api/Software/{Id}/distributions +``` + +## Request headers + +| Name | Type | Description +|:--------------|:-------|:--------------| +| Authorization | String | Bearer {token}.**Required**. + +## Request body +Empty + +## Response +If successful, this method returns 200 OK with a list of software distributions data in the body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/distributions +``` + +**Response** + +Here is an example of the response. + +```json + +{ + "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Distributions", + "value": [ + { + "version": "11.0.17134.1039", + "installations": 1, + "vulnerabilities": 11 + }, + { + "version": "11.0.18363.535", + "installations": 750, + "vulnerabilities": 0 + }, +… +} + diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md new file mode 100644 index 0000000000..67bfa09292 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md @@ -0,0 +1,84 @@ +--- +title: List software +description: Retrieves a list of software inventory +keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# List software inventory API +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieves the organization software inventory + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information' +Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information' + +## HTTP request +``` +GET /api/Software +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK with the software inventory in the body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/Software +``` + +**Response** + +Here is an example of the response. + + +``` +{ + "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software", + "value": [ + { + "id": "microsoft-_-edge", + "name": "edge", + "vendor": "microsoft", + "weaknesses": 467, + "publicExploit": true, + "activeAlert": false, + "exposedMachines": 172, + "impactScore": 2.39947438 + }, +…. +} \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md new file mode 100644 index 0000000000..6984c10ec6 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md @@ -0,0 +1,93 @@ +--- +title: List vulnerabilities by software +description: Retrieve a list of vulnerabilities in the installed software. +keywords: apis, graph api, supported apis, get, vulnerabilities list, mdatp tvm api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# List vulnerabilities by software + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieve a list of vulnerabilities in the installed software. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information' +Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information' + +## HTTP request +``` +GET /api/Software/{Id}/vulnerabilities +``` + +## Request headers + +| Name | Type | Description +|:--------------|:-------|:--------------| +| Authorization | String | Bearer {token}.**Required**. + +## Request body +Empty + +## Response +If successful, this method returns 200 OK with a a list of vulnerabilities exposed by the specified software. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/vulnerabilities +``` + +**Response** + +Here is an example of the response. + +```json + +{ + "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", + "value": [ + { + "id": "CVE-2017-0140", + "name": "CVE-2017-0140", + "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.", + "severity": "Medium", + "cvssV3": 4.2, + "exposedMachines": 1, + "publishedOn": "2017-03-14T00:00:00Z", + "updatedOn": "2019-10-03T00:03:00Z", + "publicExploit": false, + "exploitVerified": false, + "exploitInKit": false, + "exploitTypes": [], + "exploitUris": [] + }, + +… +} +``` + diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md new file mode 100644 index 0000000000..f87c04ae43 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md @@ -0,0 +1,86 @@ +--- +title: Get vulnerability by Id +description: Retrieves vulnerability information by its ID. +keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Get vulnerability by ID +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Retrieves vulnerability information by its ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information' +Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information' + +## HTTP request +``` +GET /api/vulnerabilities/{cveId} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK with the vulnerability information in the body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608 +``` + +**Response** + +Here is an example of the response. + +``` +Content-type: json +{ + "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity", + "id": "CVE-2019-0608", + "name": "CVE-2019-0608", + "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.", + "severity": "Medium", + "cvssV3": 4.3, + "exposedMachines": 4, + "publishedOn": "2019-10-08T00:00:00Z", + "updatedOn": "2019-12-16T16:20:00Z", + "publicExploit": false, + "exploitVerified": false, + "exploitInKit": false, + "exploitTypes": [], + "exploitUris": [] +} +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category.png new file mode 100644 index 0000000000..8c4e86272a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category600.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category600.png new file mode 100644 index 0000000000..d01215dee9 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category600.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-summary.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-summary.png new file mode 100644 index 0000000000..d9fc4ed73a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-summary.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-content-filtering-summary.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-content-filtering-summary.png new file mode 100644 index 0000000000..c6c86c4c3b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-content-filtering-summary.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-report-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-report-details.png new file mode 100644 index 0000000000..bba1d35a38 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-report-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-reports.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-reports.png new file mode 100644 index 0000000000..58fd253994 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-reports.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-protection.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection.png new file mode 100644 index 0000000000..7b47ead343 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md index 755dafb1e4..297de5d17d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md @@ -68,7 +68,7 @@ The **Alert process tree** takes alert triage and investigation to the next leve The **Alert process tree** expands to display the execution path of the alert and related evidence that occurred around the same period. Items marked with a thunderbolt icon should be given priority during investigation. >[!NOTE] ->The alert process tree might not be available in some alerts. +>The alert process tree might not show for some alerts, including alerts not triggered directly by process activity. Clicking in the circle immediately to the left of the indicator displays its details. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index 4edb6f1e70..a38094be67 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -22,6 +22,7 @@ ms.topic: article - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Prerelease information](../../includes/prerelease.md)] ## Methods Method|Return Type |Description @@ -30,6 +31,9 @@ Method|Return Type |Description [Get machine](get-machine-by-id.md) | [machine](machine.md) | Get a [machine](machine.md) by its identity. [Get logged on users](get-machine-log-on-users.md) | [user](user.md) collection | Get the set of [User](user.md) that logged on to the [machine](machine.md). [Get related alerts](get-machine-related-alerts.md) | [alert](alerts.md) collection | Get the set of [alert](alerts.md) entities that were raised on the [machine](machine.md). +[Get installed software](get-installed-software.md) | [software](software.md) collection | Retrieves a collection of installed software related to a given machine ID. +[Get discovered vulnerabilities](get-discovered-vulnerabilities.md) | [vulnerability](vulnerability.md) collection | Retrieves a collection of discovered vulnerabilities related to a given machine ID. +[Get security recommendations](get-security-recommendations.md) | [recommendation](recommendation.md) collection | Retrieves a collection of security recommendations related to a given machine ID. [Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine. [Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP. @@ -52,29 +56,4 @@ riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender ATP. P exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is Aad Joined). machineTags | String collection | Set of [machine](machine.md) tags. - - -## Json representation - -```json -{ - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "version": "1709", - "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, - "healthStatus": "Active", - "rbacGroupId": 140, - "rbacGroupName": "The-A-Team", - "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] -} -``` \ No newline at end of file +exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index f67f450978..1247c43078 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -31,7 +31,8 @@ Reduce your attack surfaces by minimizing the places where your organization is |[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. | |[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. | |[Exploit protection](./exploit-protection.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. | -|[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) | +|[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) | +|[Web protection](./web-protection-overview.md) |Secure your machines against web threats and help you regulate unwanted content. |[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) | |[Attack surface reduction](./attack-surface-reduction.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus) | |[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index b02f8e485d..4cde145e4c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -43,6 +43,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: +- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list)
Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. + - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os)
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019. - [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories. diff --git a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md new file mode 100644 index 0000000000..221645d516 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md @@ -0,0 +1,59 @@ +--- +title: Recommendation methods and properties +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Recommendation resource type + +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +## Methods +Method |Return Type |Description +:---|:---|:--- +[List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization +[Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID +[Get recommendation software](get-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software +[Get recommendation machines](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of machines associated with the security recommendation +[Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation + + +## Properties +Property | Type | Description +:---|:---|:--- +id | String | Recommendation ID +productName | String | Related software name +recommendationName | String | Recommendation name +Weaknesses | Long | Number of discovered vulnerabilities +Vendor | String | Related vendor name +recommendedVersion | String | Recommended version +recommendationCategory | String | Recommendation category. Possible values are: “Accounts”, “Application”, “Network”, “OS”, “SecurityStack +subCategory | String | Recommendation sub-category +severityScore | Double | Potential impact of the configuration to the organization’s configuration score (1-10) +publicExploit | Boolean | Public exploit is available +activeAlert | Boolean | Active alert is associated with this recommendation +associatedThreats | String collection | Threat analytics report is associated with this recommendation +remediationType | String | Remediation type. Possible values are: “ConfigurationChange”,“Update”,“Upgrade”,”Uninstall” +Status | Enum | Recommendation exception status. Possible values are: “Active” and “Exception” +configScoreImpact | Double | Configuration score impact +exposureImpacte | Double | Exposure score impact +totalMachineCount | Long | Number of installed machines +exposedMachinesCount | Long | Number of installed machines that are exposed to vulnerabilities +nonProductivityImpactedAssets | Long | Number of machines which are not affected +relatedComponent | String | Related software component diff --git a/windows/security/threat-protection/microsoft-defender-atp/score.md b/windows/security/threat-protection/microsoft-defender-atp/score.md new file mode 100644 index 0000000000..9a903d296f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/score.md @@ -0,0 +1,77 @@ +--- +title: Score methods and properties +description: Retrieves your organization's exposure score, device secure score, and exposure score by machine group +keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by machine group +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Score resource type + +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +## Methods +Method |Return Type |Description +:---|:---|:--- +[Get exposure score](get-exposure-score.md) | [Score](score.md) | Get the organizational exposure score. +[Get device secure score](get-device-secure-score.md) | [Score](score.md) | Get the organizational device secure score. +[List exposure score by machine group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by machine group. + + +## Properties +Property | Type | Description +:---|:---|:--- +Score | Double | The current score. +Time | DateTime | The date and time in which the call for this API was made. +RbacGroupId | Nullable Int | RBAC Group ID. + + +### Response example for getting machine groups score: + +``` +GET https://api.securitycenter.windows.com/api/exposureScore/byMachineGroups +``` + +```json +{ + "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore", + "value": [ + { + "time": "2019-12-03T07:26:49.9376328Z", + "score": 41.38041766305988, + "rbacGroupId": 10 + }, + { + "time": "2019-12-03T07:26:49.9376375Z", + "score": 23.58823563070858, + "rbacGroupId": 5 + }, + { + "time": "2019-12-03T07:26:49.9376382Z", + "score": 37.403726933165366, + "rbacGroupId": 11 + }, + { + "time": "2019-12-03T07:26:49.9376388Z", + "score": 26.323200116475423, + "rbacGroupId": 9 + } + ] +} + + +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md new file mode 100644 index 0000000000..49e8e4c12d --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/software.md @@ -0,0 +1,47 @@ +--- +title: Software methods and properties +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Software resource type + +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +## Methods +Method |Return Type |Description +:---|:---|:--- +[List software](get-software.md) | Software collection | List the organizational software inventory. +[Get software by Id](get-software-by-id.md) | Software | Get a specific software by its software ID. +[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID. +[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of machines that are associated with the software ID. +[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID. + +## Properties +Property | Type | Description +:---|:---|:--- +id | String | Software ID +Name | String | Software name +Vendor | String | Software vendor name +Weaknesses | Long | Number of discovered vulnerabilities +publicExploit | Boolean | Public exploit exists for some of the vulnerabilities +activeAlert | Boolean | Active alert is associated with this software +exposedMachines | Long | Number of exposed machines +impactScore | Double | Exposure score impact of this software + diff --git a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md new file mode 100644 index 0000000000..0ede996269 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md @@ -0,0 +1,50 @@ +--- +title: Vulnerability methods and properties +description: Retrieves vulnerability information +keywords: apis, graph api, supported apis, get, vulnerability +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Vulnerability resource type + +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +## Methods +Method |Return Type |Description +:---|:---|:--- +[Get all vulnerabilities](get-all-vulnerabilities.md) | Vulnerability collection | Retrieves a list of all the vulnerabilities affecting the organization +[Get vulnerability by Id](get-vulnerability-by-id.md) | Vulnerability | Retrieves vulnerability information by its ID +[List machines by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of machines that are associated with the vulnerability ID + + +## Properties +Property | Type | Description +:---|:---|:--- +id | String | Vulnerability ID +Name | String | Vulnerability title +Description | String | Vulnerability description +Severity | String | Vulnerability Severity. Possible values are: “Low”, “Medium”, “High”, “Critical” +cvssV3 | Double | CVSS v3 score +exposedMachines | Long | Number of exposed machines +publishedOn | DateTime | Date when vulnerability was published +updatedOn | DateTime | Date when vulnerability was updated +publicExploit | Boolean | Public exploit exists +exploitVerified | Boolean | Exploit is verified to work +exploitInKit | Boolean | Exploit is part of an exploit kit +exploitTypes | String collection | Exploit impact. Possible values are: “Denial of service”, “Local privilege escalation”, “Denial of service” +exploitUris | String collection | Exploit source URLs diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md new file mode 100644 index 0000000000..5a60f9e9ae --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md @@ -0,0 +1,171 @@ +--- +title: Web content filtering +description: Use web content filtering in Microsoft Defender ATP to track and regulate access to websites based on their content categories. +keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Web content filtering + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) + +Web content filtering is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns. + +You can configure policies across your machine groups to block certain categories, effectively preventing users within specified machine groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption. However, web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions. + +Web content filtering is available on most major web browsers, with blocks performed by SmartScreen (Edge) and Network Protection (Internet Explorer, Chrome, Firefox, and all other browsers). See the prerequisites section for more information about browser support. + +To summarize the benefits: + +- Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away +- You can conveniently deploy varied policies to various sets of users using the machine groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac) +- You can access web reports in the same central location, with visibility over actual blocks and web usage + +## User experience + +The standard blocking experience is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection. +For a more user-friendly experience, consider using SmartScreen on Edge. + +## Prerequisites + +Before trying out this feature, make sure you have the following: + +- Windows 10 Enterprise E5 license +- Access to Microsoft Defender Security Center portal +- Machines running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update (for Network Protection on Internet Explorer, Edge, Chrome, or Firefox) +- Machines running Windows 10 May 2019 Update (version 1903) or later (for a better user experience from SmartScreen on Edge). Note that if SmartScreen is not turned on, Network Protection will take over the blocking +- A valid license with a partner data provider + +## Data handling + +For this feature, we will follow whichever region you have elected to use as part of your [Microsoft Defender ATP data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds. + +## Partner licensing + +In order to give customers access to various sources of web content categorization data, we are very excited to partner with data providers for this feature. We’ve chosen [Cyren](https://www.cyren.com/threat-intelligence) as our first partner, who we’ve worked with closely to build an integrated solution. + +### About Cyren and Threat Intelligence Service for Microsoft Defender ATP + +Cyren’s URL filtering includes 70 categories, providing partners with the ability to build powerful and advanced web security applications. Cyren’s comprehensive categories provide the necessary flexibility for any implementation requirement. + +The broad range of categories enables numerous applications: + +- Protecting users browsing the web from threats such as malware and phishing sites +- Ensuring employee productivity +- Consumer services such as parental control + +Cyren's web content classification technology is integrated by design into Microsoft Defender ATP to enable web filtering and auditing capabilities. + +Learn more at https://www.cyren.com/products/url-filtering. + +### Cyren permissions + +"Sign in and read user profile" allows Cyren to read your tenant info from your Microsoft Defender ATP account, such as your tenant ID, which will be tied to your Cyren license. + +"Read and Write Integration settings" exists under the WindowsDefenderATP scope within permissions. This line allows Cyren to add/modify/revoke Cyren license status on the Microsoft Defender ATP portal. + +### Signing up for a Cyren License + +Cyren is offering a 60-day free trial for all Microsoft Defender ATP customers. To sign up, please follow the steps below from the portal. + +>[!NOTE] +>A user with AAD app admin/global admin permissions is required to complete these steps. + +1. Go to **Reports > Web protection** from the side navigation +2. Select the **Connect to a partner** button +3. Go through the flow from the flyout to register and connect your Cyren account + +## Turn on web content filtering + +From the left-hand navigation menu, select **Settings > General > Advanced Features**. Scroll down until you see the entry for **Web content filtering**. Switch the toggle to **On** and **Save preferences**. + +### Configure web content filtering policies + +Web content filtering policies specify which site categories are blocked on which machine groups. To manage the policies, go to **Settings > Rules > Web content filtering**. + +Use the filter to locate policies that contain certain blocked categories or are applied to specific machine groups. + +### Create a policy + +To add a new policy: + +1. Select **Add policy** on the **Web content filtering** page in **Settings**. +2. Specify a name. +3. Select the categories to block. Use the expand icon to fully expand each parent category and select specific web content categories. +4. Specify the policy scope. Select the machine groups to specify where to apply the policy. Only machines in the selected machine groups will be prevented from accessing websites in the selected categories. +5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected machines. + +>[!NOTE] +>If you are removing a policy or changing machine groups at the same time, this might cause a delay in policy deployment. + +## Web content filtering cards and details + +Select **Reports > Web protection** to view cards with information about web content filtering and web threat protection. The following cards provide summary information about web content filtering. + +### Web activity by category + +This card lists the parent web content categories with the largest percentage change in the number of access attempts, whether they have increased or decreased. You can use this card to understand drastic changes in web activity patterns in your organization from last 30 days, 3 months, or 6 months. Select a category name to view more information about that particular category. + +In the first 30 days of using this feature, your organization might not have sufficient data to display in this card. + +![Image of web activity by category card](images/web-activity-by-category600.png) + +### Web content filtering summary card + +This card displays the distribution of blocked access attempts across the different parent web content categories. Select one of the colored bars to view more information about a specific parent web category. + +![Image of web content filtering summary card](images/web-content-filtering-summary.png) + +### Web activity summary card + +This card displays the total number of requests for web content in all URLs. + +![Image of web activity summary card](images/web-activity-summary.png) + +### View card details + +You can access the **Report details** for each card by selecting a table row or colored bar from the chart in the card. The report details page for each card contains extensive statistical data about web content categories, website domains, and machine groups. + +![Image of web protection report details](images/web-protection-report-details.png) + +- **Web categories**: Lists the web content categories that have had access attempts in your organization. Select a specific category to open a summary flyout. + +- **Domains**: Lists the web domains that have been accessed or blocked in your organization. Select a specific domain to view detailed information about that domain. + +- **Machine groups**: Lists all the machine groups that have generated web activity in your organization + +Use the time range filter at the top left of the page to select a time period. You can also filter the information or customize the columns. Select a row to open a flyout pane with even more information about the selected item. + +## Errors and issues + +### Why am I seeing the error "Need admin approval" when trying to connect to Cyren? + +You need to be logged in to an AAD account with either App administrator or Global Administrator privileges. Your IT admin would most likely either have these permissions and/or be able to grant them to you. + +### Limitations and known issues in this preview + +- Unassigned machines will have incorrect data shown within the report. In the Report details > Machine groups pivot, you may see a row with a blank Machine Group field. This group contains your unassigned machines in the interim before they get put into your specified group. The report for this row may not contain an accurate count of machines or access counts. + +- The data in our reports may not be congruent with other data on the site. We currently do not support real-time data processing for this feature, so you may see inconsistencies between the data in our reports and the URL entity page. + +## Related topics + +- [Web protection overview](web-protection-overview.md) +- [Web threat protection](web-threat-protection.md) +- [Monitor web security](web-protection-monitoring.md) +- [Respond to web threats](web-protection-response.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md index da6e550794..36d58deb28 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md @@ -8,14 +8,13 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: lomayor -author: lomayor +ms.author: ellevin +author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 08/30/2019 --- # Monitor web browsing security @@ -54,4 +53,6 @@ Select a domain to view the list of machines that have attempted to access URLs ## Related topics - [Web protection overview](web-protection-overview.md) +- [Web content filtering](web-content-filtering.md) +- [Web threat protection](web-threat-protection.md) - [Respond to web threats](web-protection-response.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md index 37f62a101c..d3dd75a836 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md @@ -1,5 +1,5 @@ --- -title: Overview of web protection in Microsoft Defender ATP +title: Web protection description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser search.product: eADQiWindows 10XVcnh @@ -8,43 +8,44 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: lomayor -author: lomayor +ms.author: ellevin +author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 08/30/2019 --- -# Protect your organization against web threats +# Web protection >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) -Web protection in Microsoft Defender ATP uses [network protection](network-protection.md) to secure your machines against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web protection stops web threats without a web proxy and can protect machines while they are away or on premises. Web protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md). +Web protection in Microsoft Defender ATP is a capability made up of [Web threat protection](web-threat-protection.md) and [Web content filtering](web-content-filtering.md). Web protection lets you secure your machines against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft Defender Security Center by going to **Reports > Web protection**. ->[!Note] ->It can take up to an hour for machines to receive new customer indicators. +![Image of all web protection cards](images/web-protection.png) -With web protection, you also get: +## Web threat protection + +The cards that make up web threat protection are **Web threat detections over time** and **Web threat summary**. + +Web threat protection includes: - Comprehensive visibility into web threats affecting your organization - Investigation capabilities over web-related threat activity through alerts and comprehensive profiles of URLs and the machines that access these URLs - A full set of security features that track general access trends to malicious and unwanted websites -## Prerequisites -Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers. +## Web content filtering -To turn on network protection on your machines: -- Edit the Microsoft Defender ATP security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-atp-security-baseline) -- Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md) - ->[!Note] ->If you set network protection to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only. +The cards that make up web content filtering are **Web activity by category**, **Web content filtering summary**, and **Web activity summary**. +Web content filtering includes: +- Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away +- You can conveniently deploy varied policies to various sets of users using the machine groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac) +- You can access web reports in the same central location, with visibility over actual blocks and web usage ## In this section + Topic | Description :---|:--- -[Monitor web security](web-protection-monitoring.md) | Monitor attempts to access malicious and unwanted websites. -[Respond to web threats](web-protection-response.md) | Investigate and manage alerts related to malicious and unwanted websites. Understand how end users are notified whenever a web threat is blocked. +[Web threat protection](web-threat-protection.md) | Stop access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked. +[Web content filtering](web-content-filtering.md) | Track and regulate access to websites based on their content categories. diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md index e963f8f504..e9e6949f27 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md @@ -8,14 +8,13 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: lomayor -author: lomayor +ms.author: ellevin +author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 08/30/2019 --- # Respond to web threats @@ -67,4 +66,6 @@ With web protection in Microsoft Defender ATP, your end users will be prevented ## Related topics - [Web protection overview](web-protection-overview.md) -- [Monitor web security](web-protection-monitoring.md) +- [Web content filtering](web-content-filtering.md) +- [Web threat protection](web-threat-protection.md) +- [Monitor web security](web-protection-monitoring.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md new file mode 100644 index 0000000000..66e0e293ed --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md @@ -0,0 +1,45 @@ +--- +title: Protect your organization against web threats +description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization +keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Protect your organization against web threats + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) + +Web threat protection is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It uses [network protection](network-protection.md) to secure your machines against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect machines while they are away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md). + +>[!Note] +>It can take up to an hour for machines to receive new customer indicators. + +## Prerequisites +Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers. + +To turn on network protection on your machines: +- Edit the Microsoft Defender ATP security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-atp-security-baseline) +- Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md) + +>[!Note] +>If you set network protection to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only. + +## Related topics + +- [Web protection overview](web-protection-overview.md) +- [Web threat protection](web-threat-protection.md) +- [Monitor web security](web-protection-monitoring.md) +- [Respond to web threats](web-protection-response.md) +- [Network protection](network-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 5fa737a5b4..128fb4d3a3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -18,29 +18,63 @@ ms.date: 05/17/2018 --- > [!NOTE] -> For WDAC enhancements see [Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update](https://www.microsoft.com/security/blog/2019/07/01/). +> For WDAC enhancements see [Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update](https://www.microsoft.com/security/blog/2019/07/01/). # Deploy Windows Defender Application Control policies by using Microsoft Intune **Applies to:** -- Windows 10 -- Windows Server 2016 +- Windows 10 +- Windows Server 2016 +You can use Microsoft Endpoint Manager (MEM) Intune to configure Windows Defender Application Control (WDAC). Intune includes native support for WDAC, which allows you to configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or to also allow reputable apps as defined by the Intelligent Security Graph (ISG). Using the built-in policies can be a helpful starting point, but many customers may find the available circle-of-trust options to be too limited. -You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). You can either configure an Endpoint Protection profile for WDAC, or create a custom profile with an OMA-URI setting. By using an Endpoint Protection profile, you can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps as defined by the Intelligent Security Graph. +In order to deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. Beginning in 1903, Custom OMA-URI policy deployment leverages the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies. Custom OMA-URI can also be used on pre-1903 systems to deploy custom policies via the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp). + +## Using Intune's Built-In Policies 1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. -3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**. +2. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**. ![Configure profile](images/wdac-intune-create-profile-name.png) -4. Click **Configure** > **Windows Defender Application Control**, choose from the following settings and then click **OK**: +3. Click **Configure** > **Windows Defender Application Control**, choose from the following settings and then click **OK**: - **Application control code integrity policies**: Select **Audit only** to log events but not block any apps from running or select **Enforce** to allow only Windows components and Store apps to run. - **Trust apps with good reputation**: Select **Enable** to allow reputable apps as defined by the Intelligent Security Graph to run in addition to Windows components and Store apps. - ![Configure WDAC](images/wdac-intune-wdac-settings.png) - -To add a custom profile with an OMA-URI see, [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/intune/configuration/custom-settings-windows-10). + ![Configure built-in WDAC](images/wdac-intune-wdac-settings.png) + +## Using a Custom OMA-URI Profile + +### For 1903+ systems +The steps to use Intune's Custom OMA-URI functionality to leverage the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) and deploy a custom WDAC policy to 1903+ systems are: + +1. Know a generated policy’s GUID, which can be found in the policy xml as `` +2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. +3. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. +4. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**. +5. Add a row, then give your policy a name and use the following settings: + - **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy + - **Data type**: Base64 + - **Certificate file**: upload your binary format policy file + + ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png) + +> [!NOTE] +> Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot. + +### For pre-1903 systems +The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are: + +1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. +2. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. +3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**. +4. Add a row, then give your policy a name and use the following settings: + - **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy) + - **Data type**: Base64 + - **Certificate file**: upload your binary format policy file + +> [!NOTE] +> Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy and/or use a script to delete the existing policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png b/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png new file mode 100644 index 0000000000..12ec2b924f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png new file mode 100644 index 0000000000..c37d55910d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png new file mode 100644 index 0000000000..e132440266 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-oma-uri.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-oma-uri.png new file mode 100644 index 0000000000..1ba4774163 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-oma-uri.png differ
MessageDate
January 2020 Windows 10, version 1909 \"D\" optional release is available.
The January 2020 optional monthly “D” release for Windows 10, version 1909 and Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
January 28, 2020
08:00 AM PT
January 2020 Windows \"C\" optional release is available.
The January 2020 optional monthly “C” release for all supported versions of Windows is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
January 23, 2020
12:00 PM PT
Windows 7 has reached end of support
Windows 7 reached end of support on January 14, 2020. If your organization has not yet been able to complete your transition from Windows 7 to Windows 10, and want to continue to receive security updates while you complete your upgrade projects, please read How to get Extended Security Updates for eligible Windows devices. For more information on end of service dates for currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
January 15, 2020
10:00 AM PT
Take action: January 2020 security update available for all supported versions of Windows
The January 2020 security update release, referred to as our “B” release, is now available for Windows 10, version 1909 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
January 14, 2020
08:00 AM PT