deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into shari-FAQ

Browse Source
This commit is contained in:
Shari Kjerland 2020-12-16 17:40:58 -08:00 committed by GitHub
commit 3ab59b4fda
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
37 changed files with 509 additions and 474 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/client-management/mdm/get-product-package.md
View File

@ -1,6 +1,6 @@
---
title: Get product package
description: The Get product package operation retrieves the information about a specific application in the Micosoft Store for Business.
description: The Get product package operation retrieves the information about a specific application in the Microsoft Store for Business.
ms.assetid: 4314C65E-6DDC-405C-A591-D66F799A341F
ms.reviewer:
manager: dansimp
@ -14,7 +14,7 @@ ms.date: 09/18/2017
# Get product package
The **Get product package** operation retrieves the information about a specific application in the Micosoft Store for Business.
The **Get product package** operation retrieves the information about a specific application in the Microsoft Store for Business.
## Request

4
windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
View File

@ -51,7 +51,7 @@ All server and client computers referenced in this guide are on the same subnet.
## Procedures
1. Start the PC0001 computer. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass@word1** and click **Next**.
2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass\@word1** and click **Next**.
3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**.
4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
5. The operating system deployment will take several minutes to complete.
@ -99,4 +99,4 @@ Next, see [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Ma
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br>
[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>

4
windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
View File

@ -129,7 +129,7 @@ In order for the Configuration Manager Join Domain Account (CM\_JD) to join mach
On **DC01**:
1. Sign in as contoso\administrtor and enter the following at an elevated Windows PowerShell prompt:
1. Sign in as contoso\administrator and enter the following at an elevated Windows PowerShell prompt:
```
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
@ -389,4 +389,4 @@ You can create reference images for Configuration Manager in Configuration Manag
[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)<br>
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)

2
windows/deployment/windows-10-poc-sc-config-mgr.md
View File

@ -283,7 +283,7 @@ This section contains several procedures to support Zero Touch installation with
3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**.
4. Click the yellow starburst and then click **New Account**.
5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**.
6. Next to **Password** and **Confirm Password**, type **pass@word1**, and then click **OK** twice.
6. Next to **Password** and **Confirm Password**, type **pass\@word1**, and then click **OK** twice.
### Configure a boundary group

16
windows/deployment/windows-10-poc.md
View File

@ -214,7 +214,7 @@ Starting with Windows 8, the host computers microprocessor must support secon
2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
<pre style="overflow-y: visible">Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V All</pre>
<pre style="overflow-y: visible">Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All</pre>
This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
@ -542,8 +542,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
<pre style="overflow-y: visible">
Resize-VHD Path c:\VHD\2012R2-poc-2.vhd SizeBytes 100GB
$x = (Mount-VHD Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
Resize-VHD -Path c:\VHD\2012R2-poc-2.vhd -SizeBytes 100GB
$x = (Mount-VHD -Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
</pre>
@ -551,7 +551,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
<pre style="overflow-y: visible">
Get-Volume -DriveLetter $x
Dismount-VHD Path c:\VHD\2012R2-poc-2.vhd</pre>
Dismount-VHD -Path c:\VHD\2012R2-poc-2.vhd</pre>
### Configure Hyper-V
@ -712,7 +712,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
<pre style="overflow-y: visible">
Rename-Computer DC1
New-NetIPAddress InterfaceAlias Ethernet IPAddress 192.168.0.1 PrefixLength 24 -DefaultGateway 192.168.0.2
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.1 -PrefixLength 24 -DefaultGateway 192.168.0.2
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
</pre>
@ -749,7 +749,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
netsh dhcp add securitygroups
Restart-Service DHCPServer
Add-DhcpServerInDC dc1.contoso.com 192.168.0.1
Set-ItemProperty Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 Name ConfigurationState Value 2
Set-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 -Name ConfigurationState -Value 2
</pre>
10. Next, add a DHCP scope and set option values:
@ -886,7 +886,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
<pre style="overflow-y: visible">
Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
Copy-VMFile "PC1" SourcePath "C:\VHD\pc1.ps1" DestinationPath "C:\pc1.ps1" CreateFullPath FileSource Host
Copy-VMFile "PC1" -SourcePath "C:\VHD\pc1.ps1" -DestinationPath "C:\pc1.ps1" -CreateFullPath -FileSource Host
</pre>
>In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
@ -917,7 +917,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
<pre style="overflow-y: visible">
Rename-Computer SRV1
New-NetIPAddress InterfaceAlias Ethernet IPAddress 192.168.0.2 PrefixLength 24
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.2 -PrefixLength 24
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
Restart-Computer
</pre>

2
windows/deployment/windows-10-subscription-activation.md
View File

@ -91,7 +91,7 @@ For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products &
For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/en-us/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
#### Multi-factor authentication

24
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -66,26 +66,18 @@ You configure Windows 10 to use the Microsoft PIN Reset service using the comput
3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
### Configure Windows devices to use PIN reset using Microsoft Intune
To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP):
#### Create a PIN Reset Device configuration profile using Microsoft Intune
1. Sign-in to [Azure Portal](https://portal.azure.com) using a Global administrator account.
2. You need your tenant ID to complete the following task. You can discover your tenant ID by viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a Command window on any Azure AD-joined or hybrid Azure AD-joined computer.</br>
1. Sign-in to [Enpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account.
2. Click **Endpoint Security**-> **Account Protection**-> **Properties**.
3. Set **Enable PIN recovery** to **Yes**.
```
dsregcmd /status | findstr -snip "tenantid"
```
> [!NOTE]
> You can also setup PIN recovery using configuration profiles.
> 1. Sign in to Endpoint Manager.
> 2. Click **Devices** -> **Configuration Profiles** -> Create a new profile or edit an existing profile using the Identity Protection profile type.
> 3. Set **Enable PIN recovery** to **Yes**.
1. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. Click **Create profile**.
1. Type **Use PIN Recovery** in the **Name** field. Select **Windows 10 and later** from the **Platform** list. Select **Custom** from the **Profile type** list.
1. In the **Custom OMA-URI Settings** blade, Click **Add**.
1. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where <b>*tenant ID*</b> is your Azure Active Directory tenant ID from step 2.
1. Select **Boolean** from the **Data type** list and select **True** from the **Value** list.
1. Click **OK** to save the row configuration. Click **OK** to close the <b>Custom OMA-URI Settings blade. Click **Create</b> to save the profile.
#### Assign the PIN Reset Device configuration profile using Microsoft Intune
1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account.

78
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -532,15 +532,12 @@ The Intune Certificate Connector application enables Microsoft Intune to enroll
### Download Intune Certificate Connector
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/).
2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
![Microsoft Intune Console](images/aadjcert/microsoftintuneconsole.png)
3. Select **Device Configuration**, and then select **Certificate Connectors**.
![Intune Certificate Authority](images/aadjcert/intunedeviceconfigurationcertauthority.png)
4. Click **Add**, and then click **Download the certificate connector software** under the **Steps to install connector for SCEP** section.
![Intune Download Certificate connector](images/aadjcert/intunedownloadcertconnector.png)
5. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
6. Sign-out of the Azure Portal.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**.
3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section.
![Intune Certificate Authority](images/aadjcert/profile01.png)
4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
5. Sign-out of the Microsoft Endpoint Manager admin center.
### Install the Intune Certificate Connector
Sign-in the NDES server with access equivalent to _domain administrator_.
@ -639,47 +636,42 @@ Sign-in a workstation with access equivalent to a _domain user_.
### Create a SCEP Certificate Profile
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/).
2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
3. Select **Device Configuration**, and then click **Profiles**.
4. Select **Create Profile**.
![Intune Device Configuration Create Profile](images/aadjcert/intunedeviceconfigurationcreateprofile.png)
5. Select **Windows 10 and later** from the **Platform** list.
6. Choose **SCEP certificate** from the **Profile** list, and select **Create**.
7. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**.
8. Next to **Description**, provide a description meaningful for your environment, then select **Next**.
9. Select **User** as a certificate type.
10. Configure **Certificate validity period** to match your organization.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Devices**, and then click **Configuration Profiles**.
3. Select **Create Profile**.
![Intune Device Configuration Create Profile](images/aadjcert/profile02.png)
4. Select **Windows 10 and later** from the **Platform** list.
5. Choose **SCEP certificate** from the **Profile** list, and select **Create**.
6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**.
7. Next to **Description**, provide a description meaningful for your environment, then select **Next**.
8. Select **User** as a certificate type.
9. Configure **Certificate validity period** to match your organization.
> [!IMPORTANT]
> Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
11. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
12. Select **Custom** from the **Subject name format** list.
13. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
14. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** value.
15. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
16. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority.
![WHFB SCEP certificate profile Trusted Certificate selection](images/aadjcert/intunewhfbscepprofile-01.png)
17. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
18. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png)
19. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
20. Click **Next**.
21. Click **Next** two more times to skip the **Scope tags** and **Assignments** steps of the wizard and click **Create**.
10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}.
13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile.
15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
![WHFB SCEP certificate Profile EKUs](images/aadjcert/profile03.png)
17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
18. Click **Next**.
19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**.
### Assign Group to the WHFB Certificate Enrollment Certificate Profile
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/).
2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
3. Select **Device Configuration**, and then click **Profiles**.
4. Click **WHFB Certificate Enrollment**.
![WHFB Scep Profile landing](images/aadjcert/intunewhfbscepprofile-04.png)
5. Click **Assignments**.
6. In the **Assignments** pane, Click **Include**. Select **Selected Groups** from the **Assign to** list. Click **Select groups to include**.
![WHFB SCEP Profile Assignment](images/aadjcert/intunewhfbscepprofileassignment.png)
7. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
8. Click **Save**.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Devices**, and then click **Configuration Profiles**.
3. Click **WHFB Certificate Enrollment**.
4. Select **Properties**, and then click **Edit** next to the **Assignments** section.
5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**.
![WHFB SCEP Profile Assignment](images/aadjcert/profile04.png)
6. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
7. Click **Review + Save**, and then **Save**.
You have successfully completed the configuration. Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group. This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources.

BIN
windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 145 KiB

BIN
windows/security/identity-protection/hello-for-business/images/aadjCert/profile02.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 55 KiB

BIN
windows/security/identity-protection/hello-for-business/images/aadjCert/profile03.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
windows/security/identity-protection/hello-for-business/images/aadjCert/profile04.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

2
windows/security/identity-protection/vpn/vpn-name-resolution.md
View File

@ -52,7 +52,7 @@ Primary DNS suffix is set using the **VPNv2/*ProfileName*/DnsSuffix** node.
## Persistent
You can also configure *persistent* name resolution rules. Name resolution for specified items will only performed over VPN.
You can also configure *persistent* name resolution rules. Name resolution for specified items will only be performed over the VPN.
Persistent name resolution is set using the **VPNv2/*ProfileName*/DomainNameInformationList//*dniRowId*/Persistent** node.

3
windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
View File

@ -37,6 +37,9 @@ Most of the BitLocker Group Policy settings are applied when BitLocker is initia
If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group
Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed.
> [!NOTE]
> For more details about Active Directory configuration related to BitLocker enablement, please see [Set up MDT for BitLocker](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker).
## <a href="" id="bkmk-gptop"></a>BitLocker Group Policy settings
The following sections provide a comprehensive list of BitLocker Group Policy settings that are organized by usage. BitLocker Group Policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives.

4
windows/security/threat-protection/TOC.md
View File

@ -185,9 +185,7 @@
###### [Report on antivirus protection]()
###### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md)
###### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md)
###### [Manage updates and apply baselines]()
###### [Learn about the different kinds of updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
###### [Learn about the recent updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
###### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md)
###### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md)
###### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md)

32
windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.date: 12/16/2020
ms.reviewer:
manager: dansimp
---
@ -27,21 +27,19 @@ manager: dansimp
You can manage and configure Microsoft Defender Antivirus with the following tools:
- Microsoft Intune (now part of Microsoft Endpoint Manager)
- Microsoft Endpoint Configuration Manager (now part of Microsoft Endpoint Manager)
- Group Policy
- PowerShell cmdlets
- Windows Management Instrumentation (WMI)
- The Microsoft Malware Protection Command Line Utility (referred to as the *mpcmdrun.exe* utility
- [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-antivirus-policy) (now part of Microsoft Endpoint Manager)
- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) (now part of Microsoft Endpoint Manager)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus)
- [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus)
- [Windows Management Instrumentation (WMI)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus)
- The [Microsoft Malware Protection Command Line Utility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) (referred to as the *mpcmdrun.exe* utility
The articles in this section provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus.
The following articles provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus.
## In this section
Article | Description
---|---
[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus
[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates
[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters
[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties)
[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus
| Article | Description |
|:---|:---|
|[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus |
|[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates |
|[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters |
|[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) |
|[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus |

2
windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
View File

@ -56,7 +56,7 @@ For more information about the specific network-connectivity requirements to ens
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
## Use Microsoft Endpoint Configuration Manager to turn on cloud-delivered protection
## Use Microsoft Endpoint Manager to turn on cloud-delivered protection
1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
2. Choose **Endpoint security** > **Antivirus**.

1
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
View File

@ -20,7 +20,6 @@ ms.date: 12/11/2020
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)

11
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 11/12/2020
ms.date: 12/16/2020
ms.reviewer:
manager: dansimp
ms.custom: nextgen
@ -20,12 +20,9 @@ ms.custom: nextgen
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- Windows 10
- Windows Server 2016
- Windows Server 2019
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
## Microsoft Defender Antivirus: Your next-generation protection
@ -56,8 +53,8 @@ For information on how to configure next-generation protection services, see [Co
> [!Note]
> Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Microsoft Defender Antivirus; however, there are some differences. To learn more, see [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md).
## Related articles
## See also
- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md)
- [Microsoft Defender Antivirus management and configuration](configuration-management-reference-microsoft-defender-antivirus.md)
- [Evaluate Microsoft Defender Antivirus protection](evaluate-microsoft-defender-antivirus.md)

51
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
View File

@ -10,24 +10,22 @@ ms.sitesec: library
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 02/25/2020
ms.date: 12/16/2020
ms.reviewer:
manager: dansimp
---
# Microsoft Defender Antivirus on Windows Server 2016 and 2019
# Microsoft Defender Antivirus on Windows Server 2019 and Windows Server 2016
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- Windows Server 2016
- Windows Server 2019
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Microsoft Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Microsoft Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same.
Microsoft Defender Antivirus is available on Windows Server 2019 and Windows Server 2016. In some instances, Microsoft Defender Antivirus is referred to as *Endpoint Protection*; however, the protection engine is the same.
While the functionality, configuration, and management are largely the same for Microsoft Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019:
While the functionality, configuration, and management are largely the same for [Microsoft Defender Antivirus on Windows 10](microsoft-defender-antivirus-in-windows-10.md), there are a few key differences on Windows Server 2019 and Windows Server 2016:
- In Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role.
- In Windows Server, Microsoft Defender Antivirus does not automatically disable itself if you are running another antivirus product.
@ -36,9 +34,9 @@ While the functionality, configuration, and management are largely the same for
The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps:
1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019)
1. [Enable the interface](#enable-the-user-interface-on-windows-server-2019-or-windows-server-2016)
2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019)
2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2019-or-windows-server-2016)
2. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running)
@ -50,9 +48,9 @@ The process of setting up and running Microsoft Defender Antivirus on a server p
6. (Only if necessary) [Uninstall Microsoft Defender Antivirus](#need-to-uninstall-microsoft-defender-antivirus)
## Enable the user interface on Windows Server 2016 or 2019
## Enable the user interface on Windows Server 2019 or Windows Server 2016
By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or PowerShell.
By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2019 and Windows Server 2016. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or by using PowerShell.
### Turn on the GUI using the Add Roles and Features Wizard
@ -74,7 +72,7 @@ The following PowerShell cmdlet will enable the interface:
Install-WindowsFeature -Name Windows-Defender-GUI
```
## Install Microsoft Defender Antivirus on Windows Server 2016 or 2019
## Install Microsoft Defender Antivirus on Windows Server 2019 or Windows Server 2016
You can use either the **Add Roles and Features Wizard** or PowerShell to install Microsoft Defender Antivirus.
@ -121,14 +119,14 @@ The `sc query` command returns information about the Microsoft Defender Antiviru
In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage.
By default, Windows Update does not download and install updates automatically on Windows Server 2016 or 2019. You can change this configuration by using one of the following methods:
By default, Windows Update does not download and install updates automatically on Windows Server 2019 or Windows Server 2016. You can change this configuration by using one of the following methods:
|Method |Description |
|---------|---------|
|**Windows Update** in Control Panel |- **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates. <br/>- **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
|**Group Policy** | You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates** |
|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates: <br/>- **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates. <br/>- **3** Download updates but let me choose whether to install them. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates: <br/>- **4** - **Install updates automatically**. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates. <br/>- **3** - **Download updates but let me choose whether to install them**. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
To ensure that protection from malware is maintained, we recommend that you enable the following services:
@ -162,10 +160,10 @@ To enable automatic sample submission, start a Windows PowerShell console as an
|Setting |Description |
|---------|---------|
|**0** Always prompt |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. |
|**1** Send safe samples automatically |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. |
|**2** Never send |The Microsoft Defender Antivirus service does not prompt and does not send any files. |
|**3** Send all samples automatically |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. |
|**0** - **Always prompt** |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. |
|**1** - **Send safe samples automatically** |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. |
|**2** - **Never send** |The Microsoft Defender Antivirus service does not prompt and does not send any files. |
|**3** - **Send all samples automatically** |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. |
## Configure automatic exclusions
@ -177,7 +175,9 @@ See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](con
If you are using a third-party antivirus solution and you're running into issues with that solution and Microsoft Defender Antivirus, you can consider uninstalling Microsoft Defender Antivirus. Before you do that, review the following resources:
- See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products).
- See the question *Should I run Microsoft security software at the same time as other security products?* in the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products).
- See [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).
- See [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Microsoft Defender Antivirus together with Defender for Endpoint.
@ -185,20 +185,20 @@ If you determine you do want to uninstall Microsoft Defender Antivirus, follow t
### Uninstall Microsoft Defender Antivirus using the Remove Roles and Features wizard
1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**.
1. See [Install or Uninstall Roles, Role Services, or Features](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**.
2. When you get to the **Features** step of the wizard, unselect the **Windows Defender Features** option.
2. When you get to the **Features** step of the wizard, clear the **Windows Defender Features** option.
If you unselect **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**.
If you clear **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**.
Microsoft Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature.
Microsoft Defender Antivirus will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature.
### Uninstall Microsoft Defender Antivirus using PowerShell
>[!NOTE]
>You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
The following PowerShell cmdlet will also uninstall Microsoft Defender AV on Windows Server 2016 or 2019:
The following PowerShell cmdlet uninstalls Microsoft Defender Antivirus on Windows Server 2019 or Windows Server 2016:
```PowerShell
Uninstall-WindowsFeature -Name Windows-Defender
@ -212,8 +212,7 @@ To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell c
Uninstall-WindowsFeature -Name Windows-Defender-GUI
```
## Related topics
## See also
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

411
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
View File

@ -14,10 +14,10 @@ ms.author: deniseb
ms.reviewer: sugamar, jcedola
manager: dansimp
ms.custom: asr
ms.date: 11/30/2020
ms.date: 12/10/2020
---
# Reduce attack surfaces with attack surface reduction rules
# Use attack surface reduction rules to prevent malware infection
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@ -26,17 +26,17 @@ ms.date: 11/30/2020
* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
## Overview
## Why attack surface reduction rules are important
Your attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks.
Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help!
Attack surface reduction rules target certain software behaviors that are often abused by attackers. Such behaviors include:
Attack surface reduction rules target certain software behaviors, such as:
- Launching executable files and scripts that attempt to download or run files;
- Running obfuscated or otherwise suspicious scripts; and
- Performing behaviors that apps don't usually initiate during normal day-to-day work.
Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe.
Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe.
For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
@ -44,7 +44,7 @@ For more information about configuring attack surface reduction rules, see [Enab
You can assess how an attack surface reduction rule might impact your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm).
:::image type="content" source="images/asrrecommendation.png" alt-text="Security recommendation for ASR rule":::
:::image type="content" source="images/asrrecommendation.png" alt-text="Security reco for attack surface reduction rule":::
In the recommendation details pane, check the user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adverse impact to user productivity.
@ -52,9 +52,49 @@ In the recommendation details pane, check the user impact to determine what perc
Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
## Notifications when a rule is triggered
## Warn mode for users
Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center and the Microsoft 365 security center.
(**NEW**!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.
Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks.
### Requirements for warn mode to work
Warn mode is supported on devices running the following versions of Windows:
- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later
In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed
- Minimum platform release requirement: `4.18.2008.9`
- Minimum engine release requirement: `1.1.17400.5`
For more information and to get your updates, see [Update for Microsoft Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform).
### Cases where warn mode is not supported
Warn mode is not supported for the following attack surface reduction rules:
- [Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) (GUID `d3e037e1-3eb8-44c8-a917-57927947596d`)
- [Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) (GUID `e6db77e5-3df2-4cf1-b95a-636979351e5b`)
- [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) (GUID `c1db55ab-c21a-4637-bb3f-a12568109d35`)
In addition, warn mode is not supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode.
## Notifications and alerts
Whenever an attack surface reduction rule is triggered, a notification is displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.
In addition, when certain attack surface reduction rules are triggered, alerts are generated.
Notifications and any alerts that are generated can be viewed in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and in the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)).
## Advanced hunting and attack surface reduction events
You can use advanced hunting to view attack surface reduction events. To streamline the volume of incoming data, only unique processes for each hour are viewable with advanced hunting. The time of an attack surface reduction event is the first time that event is seen within the hour.
For example, suppose that an attack surface reduction event occurs on ten devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you'll see one instance of that event (even though it actually occurred on ten devices), and its timestamp will be 2:15 PM.
For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md).
## Attack surface reduction features across Windows versions
@ -93,7 +133,7 @@ You can review the Windows event log to view events generated by attack surface
5. Select **OK**.
This will create a custom view that filters events to only show the following, all of which are related to controlled folder access:
You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access:
|Event ID | Description |
|---|---|
@ -105,25 +145,84 @@ The "engine version" listed for attack surface reduction events in the event log
## Attack surface reduction rules
The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs:
The following table and subsections describe each of the 15 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name.
If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs.
| Rule name | GUID | File & folder exclusions | Minimum OS supported |
|-----|----|---|---|
|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|:-----|:-----:|:-----|:-----|
|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) |`26190899-1602-49e8-8b27-eb1d0a1ce869` |Supported |[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater |
|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater |
|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
### Block Adobe Reader from creating child processes
This rule prevents attacks by blocking Adobe Reader from creating additional processes.
Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
This rule was introduced in:
- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
Intune name: `Process creation from Adobe Reader (beta)`
Configuration Manager name: Not yet available
GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
### Block all Office applications from creating child processes
This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.
Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: `Office apps launching child processes`
Configuration Manager name: `Block Office application from creating child processes`
GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A`
### Block credential stealing from the Windows local security authority subsystem
This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).
LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
> [!NOTE]
> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: `Flag credential stealing from the Windows local security authority subsystem`
Configuration Manager name: `Block credential stealing from the Windows local security authority subsystem`
GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`
### Block executable content from email client and webmail
@ -138,35 +237,78 @@ This rule was introduced in:
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Microsoft Endpoint Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
Intune name: `Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)`
Microsoft Endpoint Configuration Manager name: Block executable content from email client and webmail
Microsoft Endpoint Configuration Manager name: `Block executable content from email client and webmail`
GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`
### Block all Office applications from creating child processes
### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:
Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
- Executable files (such as .exe, .dll, or .scr)
Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious.
> [!IMPORTANT]
> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule. <br/><br/> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID `01443614-cd74-433a-b99e-2ecdc07bfc25` is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly.
>
>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: `Executables that don't meet a prevalence, age, or trusted list criteria`
Configuration Manager name: `Block executable files from running unless they meet a prevalence, age, or trusted list criteria`
GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25`
### Block execution of potentially obfuscated scripts
This rule detects suspicious properties within an obfuscated script.
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Office apps launching child processes
Intune name: `Obfuscated js/vbs/ps/macro code`
Configuration Manager name: Block Office application from creating child processes
Configuration Manager name: `Block execution of potentially obfuscated scripts`
GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A`
GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC`
### Block JavaScript or VBScript from launching downloaded executable content
This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.
Although not common, line-of-business applications sometimes use scripts to download and launch installers.
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: `js/vbs executing payload downloaded from Internet (no exceptions)`
Configuration Manager name: `Block JavaScript or VBScript from launching downloaded executable content`
GUID: `D3E037E1-3EB8-44C8-A917-57927947596D`
### Block Office applications from creating executable content
This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.
Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
@ -174,9 +316,9 @@ This rule was introduced in:
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager)
Intune name: Office apps/macros creating executable content
Intune name: `Office apps/macros creating executable content`
SCCM name: Block Office applications from creating executable content
SCCM name: `Block Office applications from creating executable content`
GUID: `3B576869-A4EC-4529-8536-B80A7769E899`
@ -196,130 +338,50 @@ This rule was introduced in:
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Office apps injecting code into other processes (no exceptions)
Intune name: `Office apps injecting code into other processes (no exceptions)`
Configuration Manager name: Block Office applications from injecting code into other processes
Configuration Manager name: `Block Office applications from injecting code into other processes`
GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`
### Block JavaScript or VBScript from launching downloaded executable content
### Block Office communication application from creating child processes
This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.
This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.
Although not common, line-of-business applications sometimes use scripts to download and launch installers.
This rule protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
> [!NOTE]
> This rule applies to Outlook and Outlook.com only.
This rule was introduced in:
- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
Intune name: `Process creation from Office communication products (beta)`
Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content
Configuration Manager name: Not available
GUID: `D3E037E1-3EB8-44C8-A917-57927947596D`
GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869`
### Block execution of potentially obfuscated scripts
### Block persistence through WMI event subscription
This rule detects suspicious properties within an obfuscated script.
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Obfuscated js/vbs/ps/macro code
Configuration Manager name: Block execution of potentially obfuscated scripts.
GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC`
### Block Win32 API calls from Office macros
This rule prevents VBA macros from calling Win32 APIs.
Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Win32 imports from Office macro code
Configuration Manager name: Block Win32 API calls from Office macros
GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B`
### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:
- Executable files (such as .exe, .dll, or .scr)
Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious.
This rule prevents malware from abusing WMI to attain persistence on a device.
> [!IMPORTANT]
> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule. <br/><br/> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
>
>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
> File and folder exclusions don't apply to this attack surface reduction rule.
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria.
Intune name: Not available
Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
Configuration Manager name: Not available
GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25`
### Use advanced protection against ransomware
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list.
> [!NOTE]
> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Advanced ransomware protection
Configuration Manager name: Use advanced protection against ransomware
GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
### Block credential stealing from the Windows local security authority subsystem
This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).
LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
> [!NOTE]
> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Flag credential stealing from the Windows local security authority subsystem
Configuration Manager name: Block credential stealing from the Windows local security authority subsystem
GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`
GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
### Block process creations originating from PSExec and WMI commands
@ -333,7 +395,7 @@ This rule was introduced in:
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
Intune name: Process creation from PSExec and WMI commands
Intune name: `Process creation from PSExec and WMI commands`
Configuration Manager name: Not applicable
@ -349,69 +411,50 @@ This rule was introduced in:
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Untrusted and unsigned processes that run from USB
Intune name: `Untrusted and unsigned processes that run from USB`
Configuration Manager name: Block untrusted and unsigned processes that run from USB
Configuration Manager name: `Block untrusted and unsigned processes that run from USB`
GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
### Block Office communication application from creating child processes
### Block Win32 API calls from Office macros
This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.
This rule prevents VBA macros from calling Win32 APIs.
This protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: `Win32 imports from Office macro code`
Configuration Manager name: `Block Win32 API calls from Office macros`
GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B`
### Use advanced protection against ransomware
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list.
> [!NOTE]
> This rule applies to Outlook and Outlook.com only.
> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.
This rule was introduced in:
- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Process creation from Office communication products (beta)
Intune name: `Advanced ransomware protection`
Configuration Manager name: Not yet available
Configuration Manager name: `Use advanced protection against ransomware`
GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869`
GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
### Block Adobe Reader from creating child processes
This rule prevents attacks by blocking Adobe Reader from creating additional processes.
Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
This rule was introduced in:
- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
Intune name: Process creation from Adobe Reader (beta)
Configuration Manager name: Not yet available
GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
### Block persistence through WMI event subscription
This rule prevents malware from abusing WMI to attain persistence on a device.
> [!IMPORTANT]
> File and folder exclusions don't apply to this attack surface reduction rule.
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
This rule was introduced in:
- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)
Intune name: Not yet available
Configuration Manager name: Not yet available
GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
## Related topics
## See also
- [Attack surface reduction FAQ](attack-surface-reduction-faq.md)

43
windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md Normal file
View File

@ -0,0 +1,43 @@
---
title: Contact Microsoft Defender for Endpoint support for US Government customers
description: Learn how to contact Microsoft Defender for Endpoint support for US Government customers
keywords: support, contact, premier support, solutions, problems, case, government, gcc, gcc-m, gcc-h, defender, endpoint, mdatp, mde
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ROBOTS: noindex,nofollow
---
# Contact Microsoft Defender for Endpoint support for US Government customers
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Defender for Endpoint has recently upgraded the support process to offer a more modern and advanced support experience.
## Using the right portal
In order to open a support case, you will need to login to your Microsoft Defender for Endpoint portal:
Environment | Portal URL
:---|:---
GCC-M | [https://gcc.securitycenter.windows.us](https://gcc.securitycenter.windows.us)
GCC-H | [https://securitycenter.windows.us](https://securitycenter.windows.us)
DoD | [https://securitycenter.windows.us](https://securitycenter.windows.us)
If you are unable to login to the portal, you can also open a support case using the [phone](https://docs.microsoft.com/microsoft-365/admin/contact-support-for-business-products?view=o365-worldwide&tabs=phone&preserve-view=true).
## Opening a support case
For prerequisites and instructions, see [Contact Microsoft Defender for Endpoint support](contact-support.md).

86
windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
audience: ITPro
ms.date: 11/05/2020
ms.date: 12/10/2020
ms.reviewer: v-maave
manager: dansimp
ms.custom: asr
@ -28,7 +28,7 @@ ms.custom: asr
## What is controlled folder access?
Controlled folder access helps you protect your valuable data from malicious apps and threats, like ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App or in Microsoft Endpoint Configuration Manager and Intune (for managed devices).
Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices).
Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
@ -36,19 +36,41 @@ Controlled folder access works best with [Microsoft Defender for Endpoint](../mi
Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders.
Controlled folder access works with a list of trusted software. If an app is included in the list of trusted software, the app works as expected. If not, the app is blocked from making any changes to files that are inside protected folders. Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list.
Controlled folder access works with a list of trusted apps. If an app is included in the list of trusted software, it works as expected. If not, the app is prevented from making any changes to files that are inside protected folders.
Apps can also be manually added to the trusted list via Configuration Manager and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console.
Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that have never displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically.
Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console.
## Why controlled folder access is important
Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
The protected folders include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
The [protected folders](#review-controlled-folder-access-events-in-windows-event-viewer) include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.
Controlled folder access is supported on the following versions of Windows:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) and later
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
## Requirements
## Windows system folders are protected by default
Windows system folders are protected by default, along with several other folders:
- `c:\Users\<username>\Documents`
- `c:\Users\Public\Documents`
- `c:\Users\<username>\Pictures`
- `c:\Users\Public\Pictures`
- `c:\Users\Public\Videos`
- `c:\Users\<username>\Music`
- `c:\Users\Public\Music`
- `c:\Users\<username>\Favorites`
> [!NOTE]
> You can configure additional folders as protected, but you cannot remove the Windows system folders that are protected by default.
## Requirements for controlled folder access
Controlled folder access requires enabling [Microsoft Defender Antivirus real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md).
@ -56,7 +78,7 @@ Controlled folder access requires enabling [Microsoft Defender Antivirus real-ti
Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
You can query Microsoft Defender for Endpoint data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
You can query Microsoft Defender for Endpoint data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use [advanced hunting](advanced-hunting-overview.md) to see how controlled folder access settings would affect your environment if they were enabled.
Example query:
@ -77,19 +99,19 @@ You can review the Windows event log to see events that are created when control
4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md).
5. Click **OK**.
5. Select **OK**.
After following the procedure, you have created a custom view that shows events related to controlled folder access, as listed in the following table:
The following table shows events related to controlled folder access:
|Event ID | Description |
|---|---|
|:---|:---|
|5007 | Event when settings are changed |
|1124 | Audited controlled folder access event |
|1123 | Blocked controlled folder access event |
## View or change the list of protected folders
### Windows 10 security app
You can use the Windows Security app to view the list of folders that are protected by controlled folder access.
1. On your Windows 10 device, open the Windows Security app.
@ -105,39 +127,11 @@ After following the procedure, you have created a custom view that shows events
- To remove a folder, select it, and then select **Remove**.
> [!NOTE]
> [Windows system folders](#windows-system-folders-are-protected-by-default) are protected by default, and you cannot remove them from the list.
## See also
- [Evaluate controlled folder access](evaluate-controlled-folder-access.md). Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
## Default folders protected by controlled folder access
Windows system folders are protected by default. In addition, there are several folders that are protected by controlled folder access by default. You can configure additional folders as protected, but cannot remove the default folders from the controlled folder access protection. See [Protect additional folders](customize-controlled-folders.md#protect-additional-folders) for more information.
Here's the list of default protected folders:
- %USERPROFILE%\Documents
- %USERPROFILE%\Favorites
- %USERPROFILE%\Music
- %USERPROFILE%\Pictures
- %USERPROFILE%\Videos
- %PUBLIC%\Documents
- %PUBLIC%\Music
- %PUBLIC%\Pictures
- %PUBLIC%\Videos
You can use the Windows Security app to view the list of default folders protected by controlled folder access:
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then scroll down to the **Ransomware protection** section.
3. Click the **Manage ransomware protection** link to open the **Ransomware protection** pane.
4. Under the **Controlled folder access** section, click the **Protected folders** link.
5. Click **Yes** on the **User Access Control** prompt.
The **Protected folders** pane displays the folders that are protected by default.
## In this section
[Customize controlled folder access](customize-controlled-folders.md). Add additional protected folders, and allow specified apps to access protected folders.
- [Evaluate controlled folder access](evaluate-controlled-folder-access.md)
- [Customize controlled folder access](customize-controlled-folders.md)
- [Protect additional folders](customize-controlled-folders.md#protect-additional-folders)

16
windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
View File

@ -15,7 +15,7 @@ ms.localizationpriority: medium
ms.custom:
- next-gen
- edr
ms.date: 12/10/2020
ms.date: 12/14/2020
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
@ -43,7 +43,7 @@ EDR in block mode is also integrated with [threat & vulnerability management](ht
## What happens when something is detected?
When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center).
When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Prevented** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center).
The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode:
@ -83,11 +83,11 @@ The following image shows an instance of unwanted software that was detected and
### Do I need to turn EDR in block mode on even when I have Microsoft Defender Antivirus running on devices?
We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode gives you an added layer of defense with Microsoft Defender for Endpoint. It allows Microsoft Defender for Endpoint to take actions based on post-breach behavioral EDR detections.
We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode gives you an added layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections.
### Will EDR in block mode have any impact on a user's antivirus protection?
No. EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
### Why do I need to keep Microsoft Defender Antivirus up to date?
@ -99,9 +99,7 @@ Cloud protection is needed to turn on the feature on the device. Cloud protectio
## See also
[Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617)
[Behavioral blocking and containment](behavioral-blocking-containment.md)
[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus)
- [Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617)
- [Behavioral blocking and containment](behavioral-blocking-containment.md)
- [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus)

5
windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
View File

@ -21,7 +21,10 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender for Endpoint(https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>[!NOTE]
>If you are a US Gov customer, please refer to API endpoints listed in [here](gov.md#api).
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)

14
windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
View File

@ -52,16 +52,12 @@ To have your company listed as a partner in the in-product partner page, you wil
6. Include the User-Agent field in each API call made to Microsoft Defender for Endpoint public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA).
Follow these steps:
1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender for Endpoint-integrated product with the version of the product that includes this integration.
- ISV Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}`
- Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{TenantID}`
- Set the User-Agent field in each HTTP request header to the name based on the Following nomenclature.
- `MsdePartner-{CompanyName}-{ProductName}/{Version}`
- For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0`
- Set the User-Agent field in each HTTP request header to the below format.
- `MdePartner-{CompanyName}-{ProductName}/{Version}`
- For example, User-Agent: `MdePartner-Contoso-ContosoCognito/1.0.0`
- For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43).

6
windows/security/threat-protection/microsoft-defender-atp/gov.md
View File

@ -40,7 +40,7 @@ The following OS versions are supported:
- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/help/4490481))
>[!NOTE]
A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment.
>A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment.
The following OS versions are supported via Azure Security Center:
- Windows Server 2008 R2 SP1
@ -108,4 +108,8 @@ Common URLs for all locations (Global location) | ```crl.microsoft.com```<br>```
Defender for Endpoint GCC High specific | ```us4-v20.events.data.microsoft.com``` <br>```winatp-gw-usgt.microsoft.com```<br>```winatp-gw-usgv.microsoft.com```<br>```*.blob.core.usgovcloudapi.net```
## API
Login endpoint: ```https://login.microsoftonline.us```
Microsoft Defender for Endpoint API endpoint: ```https://api-gov.securitycenter.microsoft.us```

BIN
windows/security/threat-protection/microsoft-defender-atp/images/2bda9244ec25d1526811da4ea91b1c86.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 315 KiB

After

Width:  |  Height:  |  Size: 312 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/autoir-action-center-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/autoir-quarantine-file-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

68
windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
View File

@ -20,7 +20,7 @@ ms.topic: article
ms.date: 04/24/2018
---
# Investigate Microsoft Defender Advanced Threat Protection alerts
# Investigate alerts in Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@ -35,70 +35,40 @@ ms.date: 04/24/2018
Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
Click an alert to see the alert details view and the various tiles that provide information about the alert.
Select an alert from the alerts queue to go to alert page. This view contains the alert title, the affected assets, the details side pane, and the alert story.
From the alert details view, you can manage an alert and see alert data such as severity, category, technique, along with other information that can help you make better decisions on how to approach them.
From the alert page, begin your investigation by selecting the affected assets or any of the entities under the alert story tree view. The details pane automatically populates with further information about what you selected. To see what kind of information you can view here, read [Review alerts in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).
The techniques reflected in the card are based on [MITRE enterprise techniques](https://attack.mitre.org/techniques/enterprise/).
## Investigate using the alert story
You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see [Automated investigations](automated-investigations.md).
The alert story details why the alert was triggered, related events that happened before and after, as well as other related entities.
![Image of the alert page](images/atp-alert-view.png)
Entities are clickable and every entity that isn't an alert is expandable using the expand icon on the right side of that entity's card. The entity in focus will be indicated by a blue stripe to the left side of that entity's card, with the alert in the title being in focus at first.
The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the device or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand.
Expand entities to view details at a glance. Selecting an entity will switch the context of the details pane to this entity, and will allow you to review further information, as well as manage that entity. Selecting *...* to the right of the entity card will reveal all actions available for that entity. These same actions appear in the details pane when that entity is in focus.
For more information about managing alerts, see [Manage alerts](manage-alerts.md).
> [!NOTE]
> The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you've selected.
The alert details page also shows the alert process tree, an incident graph, and an artifact timeline.
![An example of an alert story with an alert in focus and some expanded cards](images/alert-story-tree.png)
You can click on the device link from the alert view to navigate to the device. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Device timeline**. If the alert appeared more than once on the device, the latest occurrence will be displayed in the **Device timeline**.
## Take action from the details pane
Alerts attributed to an adversary or actor display a colored tile with the actor's name.
Once you've selected an entity of interest, the details pane will change to display information about the selected entity type, historic information when it's available, and offer controls to **take action** on this entity directly from the alert page.
![A detailed view of an alert when clicked](images/atp-actor-alert.png)
Once you're done investigating, go back to the alert you started with, mark the alert's status as **Resolved** and classify it as either **False alert** or **True alert**. Classifying alerts helps tune this capability to provide more true alerts and less false alerts.
Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs), and areas where they've been observed worldwide. You will also see a set of recommended actions to take.
If you classify it as a true alert, you can also select a determination, as shown in the image below.
Some actor profiles include a link to download a more comprehensive threat intelligence report.
![A snippet of the details pane with a resolved alert and the determination drop-down expanded](images/alert-details-resolved-true.png)
![Image of detailed actor profile](images/atp-detailed-actor.png)
If you are experiencing a false alert with a line-of-business application, create a suppression rule to avoid this type of alert in the future.
The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading.
![actions and classification in the details pane with the suppression rule highlighted](images/alert-false-suppression-rule.png)
## Alert process tree
The **Alert process tree** takes alert triage and investigation to the next level, displaying the aggregated alert and surrounding evidence that occurred within the same execution context and time period. This rich triage and investigation context is available on the alert page.
> [!TIP]
> If you're experiencing any issues not described above, use the 🙂 button to provide feedback or open a support ticket.
![Image of the alert process tree](images/atp-alert-process-tree.png)
The **Alert process tree** expands to display the execution path of the alert and related evidence that occurred around the same period. Items marked with a thunderbolt icon should be given priority during investigation.
>[!NOTE]
>The alert process tree might not show for some alerts, including alerts not triggered directly by process activity.
Clicking in the circle immediately to the left of the indicator displays its details.
![Image of the alert details pane](images/atp-alert-mgt-pane.png)
The alert details pane helps you take a deeper look at the details about the alert. It displays rich information about the execution details, file details, detections, observed worldwide, observed in organization, and other details taken from the entity's page while remaining on the alert page, so you never leave the current context of your investigation.
## Incident graph
The **Incident Graph** provides a visual representation of the organizational footprint of the alert and its evidence: where the evidence that triggered the alert was observed on other devices. It provides a graphical mapping from the original device and evidence expanding to show other devices in the organization where the triggering evidence was also observed.
![Image of the Incident graph](images/atp-incident-graph.png)
The **Incident Graph** supports expansion by File, Process, command line, or Destination IP Address, as appropriate.
The **Incident Graph** expansion by destination IP Address, shows the organizational footprint of communications with this IP Address without having to change context by navigating to the IP Address page.
You can click the full circles on the incident graph to expand the nodes and view the expansion to other devices where the matching criteria were observed.
## Artifact timeline
The **Artifact timeline** feature provides an additional view of the evidence that triggered the alert on the device, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the device. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the device earlier - without triggering an alert.
![Image of artifact timeline](images/atp-alert-timeline.png)
Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization.
## Related topics
- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md)

2
windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
View File

@ -132,8 +132,6 @@ More details about certain events are provided in the **Additional information**
- Suspicious script detected - a potentially malicious script was found running
- The alert category - if the event led to the generation of an alert, the alert category ("Lateral Movement", for example) is provided
You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific device.
#### Event details
Select an event to view relevant details about that event. A panel displays to show general event information. When applicable and data is available, a graph showing related entities and their relationships are also shown.

5
windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
View File

@ -143,6 +143,11 @@ In order to preview new features and provide early feedback, it is recommended t
```bash
sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list
```
For example, if you chose *insiders-fast* channel:
```bash
sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-insiders-fast.list
```
- Install the `gpg` package if not already installed:

8
windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
View File

@ -13,9 +13,9 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: conceptual
---
@ -90,7 +90,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
|Group |Scenario |Command |
|-------------|-------------------------------------------|----------------------------------------------------------------------------------|
|Configuration|Turn on/off real-time protection |`mdatp config real-time-protection [enabled/disabled]` |
|Configuration|Turn on/off real-time protection |`mdatp config real-time-protection --value [enabled/disabled]` |
|Configuration|Turn on/off cloud protection |`mdatp config cloud --value [enabled/disabled]` |
|Configuration|Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled/disabled]` |
|Configuration|Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission --value [enabled/disabled]` |

31
windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
View File

@ -17,7 +17,7 @@ ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: conceptual
ms.date: 12/07/2020
ms.date: 12/15/2020
---
# Review and approve remediation actions following an automated investigation
@ -97,6 +97,35 @@ In Microsoft Defender for Endpoint, all verdicts are [tracked and viewable in th
4. Select an item to view more details about that remediation action.
## Undo completed actions
If youve determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. In the Action center, on the **History** tab, you can undo any of the following actions:
| Action source | Supported Actions |
|:---|:---|
| - Automated investigation <br/>- Microsoft Defender Antivirus <br/>- Manual response actions | - Isolate device <br/>- Restrict code execution <br/>- Quarantine a file <br/>- Remove a registry key <br/>- Stop a service <br/>- Disable a driver <br/>- Remove a scheduled task |
### To undo multiple actions at one time
1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
2. On the **History** tab, select the actions that you want to undo.
3. In the pane on the right side of the screen, select **Undo**.
### To remove a file from quarantine across multiple devices
1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
2. On the **History** tab, select a file that has the Action type **Quarantine file**.
![Action center](images/autoir-action-center-1.png)
3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
![Quarantine file](images/autoir-quarantine-file-1.png)
## Next steps
- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)

45
windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
View File

@ -33,21 +33,21 @@ The alert page in Microsoft Defender for Endpoint provides full context to the a
Quickly triage, investigate, and take effective action on alerts that affect your organization. Understand why they were triggered, and their impact from one location. Learn more in this overview.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4yiO5]
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4yiO5]
## Getting started with an alert
Clicking on an alert's name in Defender for Endpoint will land you on its alert page. On the alert page, all the information will be shown in context of the selected alert. Each alert page consists of 4 sections:
Selecting an alert's name in Defender for Endpoint will land you on its alert page. On the alert page, all the information will be shown in context of the selected alert. Each alert page consists of 4 sections:
1. **The alert title** shows the alert's name and is there to remind you which alert started your current investigation regardless of what you have selected on the page.
2. [**Affected assets**](#review-affected-assets) lists cards of devices and users affected by this alert that are clickable for further information and actions.
3. [**The alert story**](#investigate-using-the-alert-story) displays all entities related to the alert, interconnected by a tree view. The alert in the title will be the one in focus when you first land on your selected alert's page. Entities in the alert story are expandable and clickable, to provide additional information and expedite response by allowing you to take actions right in the context of the alert page.
4. [**The details pane**](#take-action-from-the-details-pane) will show the details of the selected alert at first, with details and actions related to this alert. If you click on any of the affected assets or entities in the alert story, the details pane will change to provide contextual information and actions for the selected object.
3. The **alert story** displays all entities related to the alert, interconnected by a tree view. The alert in the title will be the one in focus when you first land on your selected alert's page. Entities in the alert story are expandable and clickable, to provide additional information and expedite response by allowing you to take actions right in the context of the alert page. Use the alert story to start your investigation. Learn how in [Investigate alerts in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts).
4. The **details pane** will show the details of the selected alert at first, with details and actions related to this alert. If you select any of the affected assets or entities in the alert story, the details pane will change to provide contextual information and actions for the selected object.
![An alert page when you first land on it](images/alert-landing-view.png)
Note the detection status for your alert. Blocked, prevented, or remediated means actions were already taken by Defender for Endpoint.
Start by reviewing the *automated investigation details* in your alert's [details pane](#take-action-from-the-details-pane), to see which actions were already taken, as well as reading the alert's description for recommended actions.
Note the detection status for your alert. Blocked, or prevented means actions were already taken by Defender for Endpoint.
Start by reviewing the *automated investigation details* in your alert's details pane, to see which actions were already taken, as well as reading the alert's description for recommended actions.
![A snippet of the details pane with the alert description and automatic investigation sections highlighted](images/alert-air-and-alert-description.png)
@ -55,42 +55,13 @@ Other information available in the details pane when the alert opens includes MI
## Review affected assets
Clicking on a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane.
Selecting a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane.
- **For devices** the details pane will display information about the device itself, like Domain, Operating System, and IP. Active alerts and the logged on users on that device are also available. You can take immediate action by isolating the device, restricting app execution, or running an antivirus scan. Alternatively, you could collect an investigation package, initiate an automated investigation, or go to the device page to investigate from the device's point of view.
- **For users** the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can click *Open user page* to continue the investigation from that user's point of view.
- **For users** the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can select *Open user page* to continue the investigation from that user's point of view.
![A snippet of the details pane when a device is selected](images/alert-device-details.png)
## Investigate using the alert story
The alert story details why the alert was triggered, related events that happened before and after, as well as other related entities.
Entities are clickable and every entity that isn't an alert is expandable using the expand icon on the right side of that entity's card. The entity in focus will be indicated by a blue stripe to the left side of that entity's card, with the alert in the title being in focus at first.
Expand entities to view details at-a-glance about them. Clicking on an entity will switch the context of the details pane to this entity, and will allow you to review further information, as well as manage that entity. Clicking on *...* to the right of the entity card will reveal all actions available for that entity. These same actions appear in the details pane when that entity is in focus.
> [!NOTE]
> The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you've selected.
![An example of an alert story with an alert in focus and some expanded cards](images/alert-story-tree.png)
## Take action from the details pane
Once you've selected an entity of interest, the details pane will change to display information about the selected entity type, historic information, when its available, and offer controls to **take action** on this entity directly from the alert page.
Once you're done investigating, go back to the alert you started with, mark the alert's status as **Resolved** and classify it as either **False alert** or **True alert**. Classifying alerts helps tune this capability to provide more true alerts and less false alerts.
If you classify it as a true alert, you can also select a determination, as shown in the image below.
![A snippet of the details pane with a resolved alert and the determination drop-down expanded](images/alert-details-resolved-true.png)
If you are experiencing a false alert with a line-of-business application, create a suppression rule to avoid this type of alert in the future.
![actions and classification in the details pane with the suppression rule highlighted](images/alert-false-suppression-rule.png)
> [!TIP]
> If you're experiencing any issues not described above, use the 🙂 button to provide feedback or open a support ticket.
## Related topics

3
windows/security/threat-protection/security-policy-settings/maximum-password-age.md
View File

@ -39,6 +39,9 @@ The **Maximum password age** policy setting determines the period of time (in da
Set **Maximum password age** to a value between 30 and 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to compromise a user's password and have access to your network resources.
> [!NOTE]
> The security baseline recommended by Microsoft doesn't contain the password-expiration policy, as it is less effective than modern mitigations. However, companies that didn't implement Azure AD Password Protection, multifactor authentication, or other modern mitigations of password-guessing attacks, should leave this policy in effect.
### Location
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**