diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index ef2e397e5b..52940ae69f 100644 Binary files a/.openpublishing.redirection.json and b/.openpublishing.redirection.json differ diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index bb5e6e271f..7b8e606d40 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -17,7 +17,6 @@ ms.date: 11/15/2017 # MDM enrollment of Windows 10-based devices - In today’s cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization’s resources, such as apps, the corporate network, and email. > [!NOTE] @@ -233,7 +232,7 @@ To create a local account and connect the device: ![access work or school](images/unifiedenrollment-rs1-30.png) -4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows-10-based-device-to-work-using-a-deep-link). +4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link). ![connect to work or school](images/unifiedenrollment-rs1-31.png) @@ -260,7 +259,7 @@ To create a local account and connect the device: ![phone settings](images/unifiedenrollment-rs1-39.png) -3. Select the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows-10-based-device-to-work-using-a-deep-link). +3. Select the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link). ![access work or school page](images/unifiedenrollment-rs1-40.png) @@ -325,7 +324,7 @@ To connect your devices to MDM using deep links: 1. Starting with Windows 10, version 1607, create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**: - > (Be aware that this will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.) + (Be aware that this will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.) - IT admins can add this link to a welcome email that users can select to enroll into MDM. @@ -341,7 +340,8 @@ To connect your devices to MDM using deep links: 3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. -After you complete the flow, your device will be connected to your organization’s MDM. + After you complete the flow, your device will be connected to your organization's MDM. + ![corporate sign in](images/deeplinkenrollment4.png) ## Manage connections @@ -375,7 +375,7 @@ The **Disconnect** button can be found on all work connections. Generally, selec - Devices that enforce the AllowManualMDMUnenrollment policy will not allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command. - On mobile devices, you cannot disconnect from Azure AD. These connections can only be removed by wiping the device. -> [!WARNING]   +> [!WARNING] > Disconnecting might result in the loss of data on the device. ## Collecting diagnostic logs diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 2927d154d3..eed052ba71 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -727,7 +727,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
  • User knows what policies, profiles, apps MDM has configured
  • IT helpdesk can get detailed MDM diagnostic information using client tools
    • -

    For details, see Managing connection and Collecting diagnostic logs

    +

    For details, see Managing connection and Collecting diagnostic logs

    Enroll a Windows 10 device automatically using Group Policy @@ -1226,7 +1226,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam -Connecting your Windows 10-based device to work using a deep link +Connect your Windows 10-based device to work using a deep link

    Added following deep link parameters to the table:

    -

    For details, see Managing connections and Collecting diagnostic logs

    +

    For details, see Managing connections and Collecting diagnostic logs

    diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index d39db925b7..b788f2aa7c 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -141,11 +141,11 @@ For the payloads (optional): **How does Delivery Optimization handle VPNs?** Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." -If the connection is identified as a VPN, Delivery Optimization will not use any peer-to-peer activity. However, you can allow peer-to-peer activity over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. +If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. -If you have defined a boundary group in Configuration Manager and have for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN. +If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected via VPN, it can still leverage peer-to-peer with the default of LAN. -With split tunnelling, it's best to exclude the boundary group for the VPN devices to exclude it from using peer-to-peer. (In this case, those devices won't get the policy and will default to using LAN.) If you're using split tunnelling, you should allow direct access for these endpoints: +With split tunneling, make sure to allow direct access to these endpoints: Delivery Optimization service endpoint: - `https://*.prod.do.dsp.mp.microsoft.com` @@ -161,7 +161,7 @@ Windows Update and Microsoft Store backend services and Windows Update and Micro - `https://*.update.microsoft.com` - `https://tsfe.trafficshaping.dsp.mp.microsoft.com` -For more information about this if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). +For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). ## Troubleshooting diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index 8fa731dc2a..83cc19c6e9 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -26,16 +26,13 @@ ms.topic: article You can use Group Policy settings or mobile device management (MDM) to configure the behavior of Windows Update (WU) on your Windows 10 devices. You can configure the update detection frequency, select when updates are received, specify the update service location and more. ->[!IMPORTANT] ->In Windows 10, any Group Policy user configuration settings for Windows Update are no longer supported on this platform. - ## Summary of Windows Update settings | Group Policy setting | MDM setting | Supported from version | | --- | --- | --- | | [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) | [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | All | | [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) | [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | 1703 | -| [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) | | All | +| [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) | [Update/SetDisableUXWUAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess)| All | | [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) | | All | | [Enable client-side targeting](#enable-client-side-targeting) | | All | | [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All | diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index a51e3b166f..d4c919784d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -19,10 +19,10 @@ ms.reviewer: # Prepare and Deploy Windows Server 2016 Active Directory Federation Services **Applies to** -- Windows 10, version 1703 or later -- On-premises deployment -- Certificate trust +- Windows 10, version 1703 or later +- On-premises deployment +- Certificate trust Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. @@ -36,7 +36,20 @@ Ensure you apply the Windows Server 2016 Update to all nodes in the farm after y A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with an external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. -Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. +Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. + +> [!NOTE] +>For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: +> +> 1. Launch AD FS management console. Brose to "Services > Scope Descriptions". +> 2. Right click "Scope Descriptions" and select "Add Scope Description". +> 3. Under name type "ugs" and Click Apply > OK. +> 4. Launch Powershell as Administrator. +> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier. +> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'. +> 7. Restart the ADFS service. +> 8. On the client: Restart the client. User should be prompted to provision WHFB. +> 9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot. ## Update Windows Server 2016 @@ -52,19 +65,21 @@ Sign-in the federation server with _local admin_ equivalent credentials. Windows Hello for Business on-premises deployments require a federation server for device registration, key registration, and authentication certificate enrollment. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity. The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm: -* Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS) -* Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com) -* Subject Alternate Name: Your device registration service name, such as *enterpriseregistration.contoso.com* + +- Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS) +- Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com) +- Subject Alternate Name: Your device registration service name, such as *enterpriseregistration.contoso.com* You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com. You can; however, issue one certificate for all hosts in the farm. If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. -It’s recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. +It’s recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. Be sure to enroll or import the certificate into the AD FS server’s computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. ### Internal Web Server Authentication Certificate Enrollment + Sign-in the federation server with domain administrator equivalent credentials. 1. Start the Local Computer **Certificate Manager** (certlm.msc). @@ -83,10 +98,11 @@ A server authentication certificate should appear in the computer’s Personal c ## Deploy the Active Directory Federation Service Role -The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments. -* Device registration -* Key registration -* Certificate registration authority (certificate trust deployments) +The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments: + +- Device registration +- Key registration +- Certificate registration authority (certificate trust deployments) >[!IMPORTANT] > Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. @@ -94,6 +110,7 @@ The Active Directory Federation Service (AD FS) role provides the following serv Windows Hello for Business depends on proper device registration. For on-premises deployments, Windows Server 2016 AD FS handles device registration. Sign-in the federation server with _Enterprise Admin_ equivalent credentials. + 1. Start **Server Manager**. Click **Local Server** in the navigation pane. 2. Click **Manage** and then click **Add Roles and Features**. 3. Click **Next** on the **Before you begin** page. @@ -107,12 +124,13 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. ## Review Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm the AD FS farm uses the correct database configuration. -* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load. -* Confirm **all** AD FS servers in the farm have the latest updates. -* Confirm all AD FS servers have a valid server authentication certificate - * The subject of the certificate is the common name (FQDN) of the host or a wildcard name. - * The alternate name of the certificate contains a wildcard or the FQDN of the federation service + +- Confirm the AD FS farm uses the correct database configuration. +- Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load. +- Confirm **all** AD FS servers in the farm have the latest updates. +- Confirm all AD FS servers have a valid server authentication certificate. + - The subject of the certificate is the common name (FQDN) of the host or a wildcard name. + - The alternate name of the certificate contains a wildcard or the FQDN of the federation service. ## Device Registration Service Account Prerequisite @@ -130,8 +148,9 @@ GMSA uses the Microsoft Key Distribution Service that is located on Windows Serv #### Create KDS Root Key Sign-in a domain controller with _Enterprise Admin_ equivalent credentials. + 1. Start an elevated Windows PowerShell console. -2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)` +2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)`. ### Windows Server 2008 or 2008 R2 Domain Controllers @@ -140,6 +159,7 @@ Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key #### Create an AD FS Service Account Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. + 1. Open **Active Directory Users and Computers**. 2. Right-click the **Users** container, Click **New**. Click **User**. 3. In the **New Object – User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**. @@ -241,12 +261,12 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. Th ## Review Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you followed the correct procedures based on the domain controllers used in your deployment +* Confirm you followed the correct procedures based on the domain controllers used in your deployment. * Windows Server 2012 or Windows Server 2012 R2 * Windows Server 2008 or Windows Server 2008 R2 * Confirm you have the correct service account based on your domain controller version. * Confirm you properly installed the AD FS role on your Windows Server 2016 based on the proper sizing of your federation, the number of relying parties, and database needs. -* Confirm you used a certificate with the correct names as the server authentication certificate +* Confirm you used a certificate with the correct names as the server authentication certificate. * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: * Certificate serial number * Certificate thumbprint @@ -282,8 +302,8 @@ Sign-in a certificate authority or management workstations with _domain administ 5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. 6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. ->[!NOTE] -> The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. + > [!NOTE] + > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. 8. On the **Security** tab, click **Add**. @@ -316,11 +336,12 @@ Sign-in a certificate authority or management workstations with _domain administ 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. 5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment. + > [!NOTE] + > If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment. 6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. 8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. - * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. + Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. 9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. 10. On the **Request Handling** tab, select the **Renew with same key** check box. 11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. @@ -332,7 +353,7 @@ Sign-in a certificate authority or management workstations with _domain administ Sign-in to an **AD FS Windows Server 2016** computer with _enterprise administrator_ equivalent credentials. 1. Open an elevated command prompt. -2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` +2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`. >[!NOTE] >If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. @@ -369,14 +390,14 @@ Approximately 60 days prior to enrollment agent certificate’s expiration, the ### Service Connection Point (SCP) in Active Directory for ADFS Device Registration Service > [!NOTE] -> Normally this script is not needed, as enabling Device Registration via the ADFS Management console already creates the objects. You can validate the SCP using the script below. For detailed information about the Device Registration Service, see [Configuring Device Registration](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614658(v=ws.11)?redirectedfrom=MSDN) +> Normally this script is not needed, as enabling Device Registration via the ADFS Management console already creates the objects. You can validate the SCP using the script below. For detailed information about the Device Registration Service, see [Configuring Device Registration](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614658(v=ws.11)?redirectedfrom=MSDN). Now you will add the Service connection Point to ADFS device registration Service for your Active directory by running the following script: > [!TIP] > Make sure to change the $enrollmentService and $configNC variables before running the script. -```Powershell +```powershell # Replace this with your Device Registration Service endpoint $enrollmentService = "enterpriseregistration.contoso.com" # Replace this with your Active Directory configuration naming context @@ -420,8 +441,8 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. 5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. 6. On the **Select server roles** page, click **Next**. 7. Select **Network Load Balancing** on the **Select features** page. -8. Click **Install** to start the feature installation - ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) +8. Click **Install** to start the feature installation. + ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) ### Configure Network Load Balancing for AD FS @@ -457,7 +478,7 @@ Sign-in the domain controller or administrative workstation with domain administ 3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. 4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. 5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. -6. Close the DNS Management console +6. Close the DNS Management console. ## Configure the Intranet Zone to include the federation service @@ -465,10 +486,10 @@ The Windows Hello provisioning presents web pages from the federation service. ### Create an Intranet Zone Group Policy -Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials -1. Start the **Group Policy Management Console** (gpmc.msc) +Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials: +1. Start the **Group Policy Management Console** (gpmc.msc). 2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New** +3. Right-click **Group Policy object** and select **New**. 4. Type **Intranet Zone Settings** in the name box and click **OK**. 5. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and click **Edit**. 6. In the navigation pane, expand **Policies** under **Computer Configuration**. @@ -478,7 +499,7 @@ Sign-in the domain controller or administrative workstation with _Domain Admin_ ### Deploy the Intranet Zone Group Policy object -1. Start the **Group Policy Management Console** (gpmc.msc) +1. Start the **Group Policy Management Console** (gpmc.msc). 2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** 3. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. @@ -490,8 +511,8 @@ Before you continue with the deployment, validate your deployment progress by re * Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance. * Confirm you properly configured the Windows Hello for Business authentication certificate template—to include: * Issuance requirements of an authorized signature from a certificate request agent. - * The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe - * The Windows Hello for Business Users group, or equivalent has the allow enroll permissions + * The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe. + * The Windows Hello for Business Users group, or equivalent has the allow enroll permissions. * Confirm all certificate templates were properly published to the appropriate issuing certificate authorities. * Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template. * Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet. @@ -511,7 +532,7 @@ You need to verify the AD FS service has properly enrolled for an enrollment age ### Event Logs -Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show +Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show: * The account name under which the certificate was enrolled. * The action, which should read enroll. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 328c9513bf..00c8e2e6f2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -19,12 +19,14 @@ ms.reviewer: # Configure Windows Hello for Business: Active Directory Federation Services **Applies to** -- Windows 10, version 1703 or later -- Hybrid deployment -- Certificate trust + +- Windows 10, version 1703 or later +- Hybrid deployment +- Certificate trust ## Federation Services -The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. + +The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. @@ -45,7 +47,6 @@ Sign-in the AD FS server with *Domain Admin* equivalent credentials. >[!NOTE] > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the preceding command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. - ### Group Memberships for the AD FS Service Account The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. @@ -57,13 +58,27 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 1. Open **Active Directory Users and Computers**. 2. Click the **Users** container in the navigation pane. -3. Right-click **Windows Hello for Business Users** group -4. Click the **Members** tab and click **Add** +3. Right-click **Windows Hello for Business Users** group. +4. Click the **Members** tab and click **Add**. 5. In the **Enter the object names to select** text box, type **adfssvc** or substitute the name of the AD FS service account in your AD FS deployment. Click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. 7. Restart the AD FS server. +> [!NOTE] +>For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: +> +> 1. Launch AD FS management console. Browse to "Services > Scope Descriptions". +> 2. Right click "Scope Descriptions" and select "Add Scope Description". +> 3. Under name type "ugs" and Click Apply > OK. +> 4. Launch Powershell as Administrator. +> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier. +> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'. +> 7. Restart the ADFS service. +> 8. On the client: Restart the client. User should be prompted to provision WHFB. +> 9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot. + ### Section Review + > [!div class="checklist"] > * Configure the registration authority. > * Update group memberships for the AD FS service account. diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index b72b1b6d49..90c803649e 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -20,6 +20,13 @@ ### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md) ### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md) +## [Migration guides]() +### [Migrate from Symantec to Microsoft Defender ATP]() +#### [Get an overview of migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md) +#### [Prepare for your migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md) +#### [Set up Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md) +#### [Onboard to Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md) + ## [Security administration]() ### [Threat & Vulnerability Management]() #### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) @@ -576,7 +583,6 @@ ###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md) ###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md) - #### [Raw data streaming API]() ##### [Raw data streaming](microsoft-defender-atp/raw-data-export.md) ##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md) @@ -590,7 +596,6 @@ ##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md) ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) ##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md) - #### [Partners & APIs]() ##### [Partner applications](microsoft-defender-atp/partner-applications.md) diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md index 27a1d4a933..0c95144cb1 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md @@ -31,7 +31,7 @@ This subcategory contains events about issued TGSs and failed TGS requests. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.

    IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
    We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. | +| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.

    IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see our [***Security Monitoring Recommendations***](https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events).

    We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. | | Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | | Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | @@ -42,4 +42,3 @@ This subcategory contains events about issued TGSs and failed TGS requests. - [4770](event-4770.md)(S): A Kerberos service ticket was renewed. - [4773](event-4773.md)(F): A Kerberos service ticket request failed. - diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md index e366bb2066..840b26d06e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 06/10/2020 +ms.date: 06/29/2020 ms.reviewer: manager: dansimp --- @@ -38,7 +38,7 @@ On at least two devices that are experiencing the same issue, obtain the .cab di 2. Navigate to the Microsoft Defender directory. By default, this is `C:\Program Files\Windows Defender`. > [!NOTE] -> If you're running an updated Microsoft Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\`. +> If you're running an [updated Microsoft Defender Platform version](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform), please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\`. 3. Type the following command, and then press **Enter** diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md index 66adf9c4d6..59e059aeb5 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md @@ -54,7 +54,7 @@ You can disable the automatic exclusion lists with Group Policy, PowerShell cmdl ### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and 2019 -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). Right-click the Group Policy Object you want to configure, and then click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**. @@ -72,18 +72,18 @@ Set-MpPreference -DisableAutoExclusions $true [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md). -[Use PowerShell with Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/powershell/windows/defender/index). +[Use PowerShell with Microsoft Defender Antivirus](https://docs.microsoft.com/powershell/module/defender/). ### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and 2019 -Use the **Set** method of the [MSFT_MpPreference](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the **Set** method of the [MSFT_MpPreference](https://docs.microsoft.com/previous-versions/windows/desktop/defender/msft-mppreference) class for the following properties: ```WMI DisableAutoExclusions ``` See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal) ## List of automatic exclusions @@ -95,110 +95,110 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r #### Windows "temp.edb" files -- *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb +- `%windir%\SoftwareDistribution\Datastore\*\tmp.edb` -- *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log +- `%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log` #### Windows Update files or Automatic Update files -- *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb +- `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb` -- *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk +- `%windir%\SoftwareDistribution\Datastore\*\edb.chk` -- *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log +- `%windir%\SoftwareDistribution\Datastore\*\edb\*.log` -- *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs +- `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs` -- *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log +- `%windir%\SoftwareDistribution\Datastore\*\Res\*.log` #### Windows Security files -- *%windir%*\Security\database\\*.chk +- `%windir%\Security\database\*.chk` -- *%windir%*\Security\database\\*.edb +- `%windir%\Security\database\*.edb` -- *%windir%*\Security\database\\*.jrs +- `%windir%\Security\database\*.jrs` -- *%windir%*\Security\database\\*.log +- `%windir%\Security\database\*.log` -- *%windir%*\Security\database\\*.sdb +- `%windir%\Security\database\*.sdb` #### Group Policy files -- *%allusersprofile%*\NTUser.pol +- `%allusersprofile%\NTUser.pol` -- *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol +- `%SystemRoot%\System32\GroupPolicy\Machine\registry.pol` -- *%SystemRoot%*\System32\GroupPolicy\User\registry.pol +- `%SystemRoot%\System32\GroupPolicy\User\registry.pol` #### WINS files -- *%systemroot%*\System32\Wins\\*\\\*.chk +- `%systemroot%\System32\Wins\*\*.chk` -- *%systemroot%*\System32\Wins\\*\\\*.log +- `%systemroot%\System32\Wins\*\*.log` -- *%systemroot%*\System32\Wins\\*\\\*.mdb +- `%systemroot%\System32\Wins\*\*.mdb` -- *%systemroot%*\System32\LogFiles\ +- `%systemroot%\System32\LogFiles\` -- *%systemroot%*\SysWow64\LogFiles\ +- `%systemroot%\SysWow64\LogFiles\` #### File Replication Service (FRS) exclusions - Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory` - - *%windir%*\Ntfrs\jet\sys\\*\edb.chk + - `%windir%\Ntfrs\jet\sys\*\edb.chk` - - *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb + - `%windir%\Ntfrs\jet\*\Ntfrs.jdb` - - *%windir%*\Ntfrs\jet\log\\*\\\*.log + - `%windir%\Ntfrs\jet\log\*\*.log` -- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory` +- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ntfrs\Parameters\DB Log File Directory` - - *%windir%*\Ntfrs\\*\Edb\*.log + - `%windir%\Ntfrs\*\Edb\*.log` -- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage` +- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage` - - *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\ + - `%systemroot%\Sysvol\*\Nntfrs_cmp*\` - The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory` - - *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\ + - `%systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*\Ntfrs*\` -- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File` +- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File` > [!NOTE] - > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus#opt-out-of-automatic-exclusions). + > For custom locations, see [Opt out of automatic exclusions](#opt-out-of-automatic-exclusions). - - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$ + - `%systemdrive%\System Volume Information\DFSR\$db_normal$` - - *%systemdrive%*\System Volume Information\DFSR\FileIDTable_* + - `%systemdrive%\System Volume Information\DFSR\FileIDTable_*` - - *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_* + - `%systemdrive%\System Volume Information\DFSR\SimilarityTable_*` - - *%systemdrive%*\System Volume Information\DFSR\\*.XML + - `%systemdrive%\System Volume Information\DFSR\*.XML` - - *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$ + - `%systemdrive%\System Volume Information\DFSR\$db_dirty$` - - *%systemdrive%*\System Volume Information\DFSR\\$db_clean$ + - `%systemdrive%\System Volume Information\DFSR\$db_clean$` - - *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$ + - `%systemdrive%\System Volume Information\DFSR\$db_lostl$` - - *%systemdrive%*\System Volume Information\DFSR\Dfsr.db + - `%systemdrive%\System Volume Information\DFSR\Dfsr.db` - - *%systemdrive%*\System Volume Information\DFSR\\*.frx + - `%systemdrive%\System Volume Information\DFSR\*.frx` - - *%systemdrive%*\System Volume Information\DFSR\\*.log + - `%systemdrive%\System Volume Information\DFSR\*.log` - - *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs + - `%systemdrive%\System Volume Information\DFSR\Fsr*.jrs` - - *%systemdrive%*\System Volume Information\DFSR\Tmp.edb + - `%systemdrive%\System Volume Information\DFSR\Tmp.edb` #### Process exclusions -- *%systemroot%*\System32\dfsr.exe +- `%systemroot%\System32\dfsr.exe` -- *%systemroot%*\System32\dfsrs.exe +- `%systemroot%\System32\dfsrs.exe` #### Hyper-V exclusions @@ -206,59 +206,59 @@ This section lists the file type exclusions, folder exclusions, and process excl - File type exclusions: - - *.vhd + - `*.vhd` - - *.vhdx + - `*.vhdx` - - *.avhd + - `*.avhd` - - *.avhdx + - `*.avhdx` - - *.vsv + - `*.vsv` - - *.iso + - `*.iso` - - *.rct + - `*.rct` - - *.vmcx + - `*.vmcx` - - *.vmrs + - `*.vmrs` - Folder exclusions: - - *%ProgramData%*\Microsoft\Windows\Hyper-V + - `%ProgramData%\Microsoft\Windows\Hyper-V` - - *%ProgramFiles%*\Hyper-V + - `%ProgramFiles%\Hyper-V` - - *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots + - `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots` - - *%Public%*\Documents\Hyper-V\Virtual Hard Disks + - `%Public%\Documents\Hyper-V\Virtual Hard Disks` - Process exclusions: - - *%systemroot%*\System32\Vmms.exe + - `%systemroot%\System32\Vmms.exe` - - *%systemroot%*\System32\Vmwp.exe + - `%systemroot%\System32\Vmwp.exe` #### SYSVOL files -- *%systemroot%*\Sysvol\Domain\\*.adm +- `%systemroot%\Sysvol\Domain\*.adm` -- *%systemroot%*\Sysvol\Domain\\*.admx +- `%systemroot%\Sysvol\Domain\*.admx` -- *%systemroot%*\Sysvol\Domain\\*.adml +- `%systemroot%\Sysvol\Domain\*.adml` -- *%systemroot%*\Sysvol\Domain\Registry.pol +- `%systemroot%\Sysvol\Domain\Registry.pol` -- *%systemroot%*\Sysvol\Domain\\*.aas +- `%systemroot%\Sysvol\Domain\*.aas` -- *%systemroot%*\Sysvol\Domain\\*.inf +- `%systemroot%\Sysvol\Domain\*.inf` -- *%systemroot%*\Sysvol\Domain\\*.Scripts.ini +- `%systemroot%\Sysvol\Domain\*.Scripts.ini` -- *%systemroot%*\Sysvol\Domain\\*.ins +- `%systemroot%\Sysvol\Domain\*.ins` -- *%systemroot%*\Sysvol\Domain\Oscfilter.ini +- `%systemroot%\Sysvol\Domain\Oscfilter.ini` ### Active Directory exclusions @@ -268,51 +268,51 @@ This section lists the exclusions that are delivered automatically when you inst The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File` -- %windir%\Ntds\ntds.dit +- `%windir%\Ntds\ntds.dit` -- %windir%\Ntds\ntds.pat +- `%windir%\Ntds\ntds.pat` #### The AD DS transaction log files The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path` -- %windir%\Ntds\EDB*.log +- `%windir%\Ntds\EDB*.log` -- %windir%\Ntds\Res*.log +- `%windir%\Ntds\Res*.log` -- %windir%\Ntds\Edb*.jrs +- `%windir%\Ntds\Edb*.jrs` -- %windir%\Ntds\Ntds*.pat +- `%windir%\Ntds\Ntds*.pat` -- %windir%\Ntds\TEMP.edb +- `%windir%\Ntds\TEMP.edb` #### The NTDS working folder This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory` -- %windir%\Ntds\Temp.edb +- `%windir%\Ntds\Temp.edb` -- %windir%\Ntds\Edb.chk +- `%windir%\Ntds\Edb.chk` #### Process exclusions for AD DS and AD DS-related support files -- %systemroot%\System32\ntfrs.exe +- `%systemroot%\System32\ntfrs.exe` -- %systemroot%\System32\lsass.exe +- `%systemroot%\System32\lsass.exe` ### DHCP Server exclusions This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters` -- *%systemroot%*\System32\DHCP\\*\\\*.mdb +- `%systemroot%\System32\DHCP\*\*.mdb` -- *%systemroot%*\System32\DHCP\\*\\\*.pat +- `%systemroot%\System32\DHCP\*\*.pat` -- *%systemroot%*\System32\DHCP\\*\\\*.log +- `%systemroot%\System32\DHCP\*\*.log` -- *%systemroot%*\System32\DHCP\\*\\\*.chk +- `%systemroot%\System32\DHCP\*\*.chk` -- *%systemroot%*\System32\DHCP\\*\\\*.edb +- `%systemroot%\System32\DHCP\*\*.edb` ### DNS Server exclusions @@ -320,27 +320,27 @@ This section lists the file and folder exclusions and the process exclusions tha #### File and folder exclusions for the DNS Server role -- *%systemroot%*\System32\Dns\\*\\\*.log +- `%systemroot%\System32\Dns\*\*.log` -- *%systemroot%*\System32\Dns\\*\\\*.dns +- `%systemroot%\System32\Dns\*\*.dns` -- *%systemroot%*\System32\Dns\\*\\\*.scc +- `%systemroot%\System32\Dns\*\*.scc` -- *%systemroot%*\System32\Dns\\*\BOOT +- `%systemroot%\System32\Dns\*\BOOT` #### Process exclusions for the DNS Server role -- *%systemroot%*\System32\dns.exe +- `%systemroot%\System32\dns.exe` ### File and Storage Services exclusions This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role. -- *%SystemDrive%*\ClusterStorage +- `%SystemDrive%\ClusterStorage` -- *%clusterserviceaccount%*\Local Settings\Temp +- `%clusterserviceaccount%\Local Settings\Temp` -- *%SystemDrive%*\mscs +- `%SystemDrive%\mscs` ### Print Server exclusions @@ -348,19 +348,19 @@ This section lists the file type exclusions, folder exclusions, and the process #### File type exclusions -- *.shd +- `*.shd` -- *.spl +- `*.spl` #### Folder exclusions This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory` -- *%system32%*\spool\printers\\* +- `%system32%\spool\printers\*` #### Process exclusions -- spoolsv.exe +- `spoolsv.exe` ### Web Server exclusions @@ -368,35 +368,35 @@ This section lists the folder exclusions and the process exclusions that are del #### Folder exclusions -- *%SystemRoot%*\IIS Temporary Compressed Files +- `%SystemRoot%\IIS Temporary Compressed Files` -- *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files +- `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files` -- *%SystemDrive%*\inetpub\temp\ASP Compiled Templates +- `%SystemDrive%\inetpub\temp\ASP Compiled Templates` -- *%systemDrive%*\inetpub\logs +- `%systemDrive%\inetpub\logs` -- *%systemDrive%*\inetpub\wwwroot +- `%systemDrive%\inetpub\wwwroot` #### Process exclusions -- *%SystemRoot%*\system32\inetsrv\w3wp.exe +- `%SystemRoot%\system32\inetsrv\w3wp.exe` -- *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe +- `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe` -- *%SystemDrive%*\PHP5433\php-cgi.exe +- `%SystemDrive%\PHP5433\php-cgi.exe` ### Windows Server Update Services exclusions This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup` -- *%systemroot%*\WSUS\WSUSContent +- `%systemroot%\WSUS\WSUSContent` -- *%systemroot%*\WSUS\UpdateServicesDBFiles +- `%systemroot%\WSUS\UpdateServicesDBFiles` -- *%systemroot%*\SoftwareDistribution\Datastore +- `%systemroot%\SoftwareDistribution\Datastore` -- *%systemroot%*\SoftwareDistribution\Download +- `%systemroot%\SoftwareDistribution\Download` ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md index b71b5b24ba..58e3fd0a6f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md @@ -58,7 +58,7 @@ There are five locations where you can specify where an endpoint should obtain u To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads. > [!IMPORTANT] -> If you have set [Microsoft Malware Protection Center Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) (MMPC) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is 14 consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services). +> If you have set [Microsoft Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is seven consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services). > You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).

    > Starting Monday, October 21, 2019, security intelligence updates will be SHA-2 signed exclusively. Devices must be updated to support SHA-2 in order to get the latest security intelligence updates. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 07b211d997..1c06747e7f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -84,7 +84,7 @@ If you are enrolled in Microsoft Defender ATP and you are using a third party an When Microsoft Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. -In passive and automatic disabled mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. +In passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. If you uninstall the other product, and choose to use Microsoft Defender Antivirus to provide protection to your endpoints, Microsoft Defender Antivirus will automatically return to its normal active mode. diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md index 7ea09555f6..182bb5e356 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md @@ -29,7 +29,7 @@ Directory enables enforcing Device compliance and Conditional Access policies based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune. -For more infomation on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and +For more information on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android). @@ -43,8 +43,8 @@ Microsoft Defender ATP for Android enables admins to configure custom indicators ## Configure web protection Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center. -For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). +For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android). ## Related topics - [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) -- [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md) \ No newline at end of file +- [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md index 0577df46b2..4cfed0c928 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md @@ -91,5 +91,5 @@ You can improve your security configuration when you remediate issues from the s - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-overview.png new file mode 100644 index 0000000000..138df35a03 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-overview.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase1.png b/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase1.png new file mode 100644 index 0000000000..1e9bb59266 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase1.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase2.png b/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase2.png new file mode 100644 index 0000000000..03e534bb18 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase3.png b/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase3.png new file mode 100644 index 0000000000..ec1325ab1d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase3.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index 378fbbc6a0..709b03a5e2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -35,14 +35,15 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Ansibl Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version. +In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Please refer to the [Ansible documentation](https://docs.ansible.com/) for details. + - Ansible needs to be installed on at least on one computer (we will call it the master). - SSH must be configured for an administrator account between the master and all clients, and it is recommended be configured with public key authentication. - The following software must be installed on all clients: - curl - python-apt - - unzip -- All hosts must be listed in the following format in the `/etc/ansible/hosts` file: +- All hosts must be listed in the following format in the `/etc/ansible/hosts` or relevant file: ```bash [servers] @@ -79,55 +80,32 @@ Download the onboarding package from Microsoft Defender Security Center: ## Create Ansible YAML files -Create subtask or role files that contribute to an actual task. First create the `download_copy_blob.yml` file under the `/etc/ansible/roles` directory: +Create a subtask or role files that contribute to an playbook or task. -- Copy the onboarding package to all client devices: +- Create the onboarding task, `onboarding_setup.yml`: ```bash - - name: Copy the zip file - copy: - src: /root/WindowsDefenderATPOnboardingPackage.zip - dest: /root/WindowsDefenderATPOnboardingPackage.zip - owner: root - group: root - mode: '0644' + - name: Create MDATP directories + file: + path: /etc/opt/microsoft/mdatp/ + recurse: true + state: directory + mode: 0755 + owner: root + group: root - - name: Add Microsoft apt signing key - apt_key: - url: https://packages.microsoft.com/keys/microsoft.asc - state: present - when: ansible_os_family == "Debian" - ``` - -- Create the `setup.sh` script that operates on the onboarding file, in this example located in the `/root` directory: - - ```bash - #!/bin/bash - # We assume WindowsDefenderATPOnboardingPackage.zip is stored in /root - cd /root || exit 1 - # Unzip the archive and create the onboarding file - mkdir -p /etc/opt/microsoft/mdatp/ - unzip WindowsDefenderATPOnboardingPackage.zip - cp mdatp_onboard.json /etc/opt/microsoft/mdatp/mdatp_onboard.json - ``` - -- Create the onboarding task, `onboarding_setup.yml`, under the `/etc/ansible/roles` directory: - - ```bash - name: Register mdatp_onboard.json - stat: path=/etc/opt/microsoft/mdatp/mdatp_onboard.json + stat: + path: /etc/opt/microsoft/mdatp/mdatp_onboard.json register: mdatp_onboard - - name: Copy the setup script file - copy: - src: /root/setup.sh - dest: /root/setup.sh - owner: root - group: root - mode: '0744' - - - name: Run a script to create the onboarding file - script: /root/setup.sh + - name: Extract WindowsDefenderATPOnboardingPackage.zip into /etc/opt/microsoft/mdatp + unarchive: + src: WindowsDefenderATPOnboardingPackage.zip + dest: /etc/opt/microsoft/mdatp + mode: 0600 + owner: root + group: root when: not mdatp_onboard.stat.exists ``` @@ -150,6 +128,12 @@ Create subtask or role files that contribute to an actual task. First create the > In case of Oracle Linux, replace *[distro]* with “rhel”. ```bash + - name: Add Microsoft APT key + apt_key: + keyserver: https://packages.microsoft.com/ + id: BC528686B50D79E339D3721CEB3E94ADBE1229CF + when: ansible_os_family == "Debian" + - name: Add Microsoft apt repository for MDATP apt_repository: repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main @@ -158,12 +142,6 @@ Create subtask or role files that contribute to an actual task. First create the filename: microsoft-[channel].list when: ansible_os_family == "Debian" - - name: Add Microsoft APT key - apt_key: - keyserver: https://packages.microsoft.com/ - id: BC528686B50D79E339D3721CEB3E94ADBE1229CF - when: ansible_os_family == "Debian" - - name: Add Microsoft yum repository for MDATP yum_repository: name: packages-microsoft-com-prod-[channel] @@ -175,7 +153,7 @@ Create subtask or role files that contribute to an actual task. First create the when: ansible_os_family == "RedHat" ``` -- Create the actual install/uninstall YAML files under `/etc/ansible/playbooks`. +- Create the Ansible install and uninstall YAML files. - For apt-based distributions use the following YAML file: @@ -183,8 +161,7 @@ Create subtask or role files that contribute to an actual task. First create the $ cat install_mdatp.yml - hosts: servers tasks: - - include: ../roles/download_copy_blob.yml - - include: ../roles/setup_blob.yml + - include: ../roles/onboarding_setup.yml - include: ../roles/add_apt_repo.yml - apt: name: mdatp @@ -207,8 +184,7 @@ Create subtask or role files that contribute to an actual task. First create the $ cat install_mdatp_yum.yml - hosts: servers tasks: - - include: ../roles/download_copy_blob.yml - - include: ../roles/setup_blob.yml + - include: ../roles/onboarding_setup.yml - include: ../roles/add_yum_repo.yml - yum: name: mdatp @@ -227,7 +203,7 @@ Create subtask or role files that contribute to an actual task. First create the ## Deployment -Now run the tasks files under `/etc/ansible/playbooks/`. +Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory. - Installation: diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index 385bdbecbb..425c0389da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -1,6 +1,6 @@ --- title: Microsoft Defender ATP for Linux -ms.reviewer: +ms.reviewer: description: Describes how to install and use Microsoft Defender ATP for Linux. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh @@ -14,7 +14,7 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- @@ -39,7 +39,7 @@ There are several methods and deployment tools that you can use to install and c In general you need to take the following steps: -- Ensure that you have a Microsoft Defender ATP subscription, and that you have access to the Microsoft Defender ATP portal. +- Ensure that you have a Microsoft Defender ATP subscription, and that you have access to the [Microsoft Defender ATP portal](microsoft-defender-security-center.md). - Deploy Microsoft Defender ATP for Linux using one of the following deployment methods: - The command-line tool: - [Manual deployment](linux-install-manually.md) @@ -51,7 +51,7 @@ If you experience any installation failures, refer to [Troubleshooting installat ### System requirements -- Supported Linux server distributions and versions: +- Supported Linux server distributions and versions: - Red Hat Enterprise Linux 7.2 or higher - CentOS 7.2 or higher diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index be0cbf87e6..57650a46c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -91,7 +91,19 @@ Ensure that your devices: - Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version. - Have at least one security recommendation that can be viewed in the device page -- Are tagged or marked as co-managed +- Are tagged or marked as co-managed + +## APIs + +Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615). +See the following topics for related APIs: + +- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) +- [Machine APIs](machine.md) +- [Recommendation APIs](vulnerability.md) +- [Score APIs](score.md) +- [Software APIs](software.md) +- [Vulnerability APIs](vulnerability.md) ## Related topics @@ -105,6 +117,6 @@ Ensure that your devices: - [Weaknesses](tvm-weaknesses.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) - [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md new file mode 100644 index 0000000000..d9d91b4835 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md @@ -0,0 +1,55 @@ +--- +title: Migrate from Symantec to Microsoft Defender ATP +description: Make the switch from Symantec to Microsoft Defender ATP +keywords: migration, windows defender advanced threat protection, atp, edr +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Migrate from Symantec to Microsoft Defender Advanced Threat Protection + +If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP), you're in the right place. Use this article as a guide to plan your migration. + +## The migration process + +When you switch from Symantec to Microsoft Defender ATP, you follow a process that can be divided into three phases, as depicted in the following image: + +:::image type="content" source="images/SymantecMigration-DefenderATP-overview.png" alt-text="Phase 1 - Prepare. Phase 2 - Setup. Phase 3 - Onboard"::: + +- During the [**Prepare** phase](symantec-to-microsoft-defender-atp-prepare.md), you get Microsoft Defender ATP, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender ATP. + +- During the [**Setup** phase](symantec-to-microsoft-defender-atp-setup.md), you configure settings and exclusions for Microsoft Defender Antivirus, Microsoft Defender ATP, and Symantec Endpoint Protection. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings. + +- During the [**Onboard** phase](symantec-to-microsoft-defender-atp-onboard.md), you onboard your devices to Microsoft Defender ATP and verify that those devices are communicating with Microsoft Defender ATP. Last, you uninstall Symantec and make sure protection through Microsoft Defender ATP is in place. + +## What's included in Microsoft Defender ATP? + +In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender ATP. However, Microsoft Defender ATP includes much more than antivirus and endpoint protection. Microsoft Defender ATP is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender ATP. + +| Feature/Capability | Description | +|---|---| +| [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & Vulnerability Management capabilities helps identify, assess, and remediate weaknesses across your endpoints (such as devices). | +| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. | +| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. | +| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. | +| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. | +| [Behavioral blocking and containment](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. | +| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. | +| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. | + +**Want to learn more? See [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection).** + +## Next step + +- Proceed to [Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md new file mode 100644 index 0000000000..e1f80dbe12 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md @@ -0,0 +1,100 @@ +--- +title: Phase 3 - Onboard to Microsoft Defender ATP +description: Make the switch from Symantec to Microsoft Defender ATP +keywords: migration, windows defender advanced threat protection, atp, edr +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Migrate from Symantec - Phase 3: Onboard to Microsoft Defender ATP + +:::image type="content" source="images/SymantecMigration-DefenderATP-phase3.png" alt-text="Phase 3: Onboard"::: + +**Welcome to Phase 3 of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This migration phase includes the following steps: + +1. [Onboard devices to Microsoft Defender ATP](#onboard-devices-to-microsoft-defender-atp). +2. [Run a detection test](#run-a-detection-test). +3. [Uninstall Symantec](#uninstall-symantec). +4. [Make sure Microsoft Defender ATP is in active mode](#make-sure-microsoft-defender-atp-is-in-active-mode). + +## Onboard devices to Microsoft Defender ATP + +1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in. + +2. Choose **Settings** > **Device management** > **Onboarding**. + +3. In the **Select operating system to start onboarding process** list, select an operating system. + +4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods). + +### Onboarding methods + +Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding. + +|Operating system |Method | +|---------|---------| +|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
    - [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
    - [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
    - [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)

    **NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | +|Windows 8.1 Enterprise
    Windows 8.1 Pro
    Windows 7 SP1 Enterprise
    Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)

    **NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). | +|Windows Server 2019 and later
    Windows Server 2019 core edition
    Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
    - [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
    - [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
    - [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-machines-using-earlier-versions-of-system-center-configuration-manager)
    - [VDI onboarding scripts for non-persistent machines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)

    **NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | +|Windows Server 2016
    Windows Server 2012 R2
    Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
    - [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) | +|macOS
    iOS
    Linux |[Onboard non-Windows machines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) | + +## Run a detection test + +To verify that your onboarded devices are properly connected to Microsoft Defender ATP, you can run a detection test. + + +|Operating system |Guidance | +|---------|---------| +|- Windows 10
    - Windows Server 2019
    - Windows Server, version 1803
    - Windows Server 2016
    - Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).

    Visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. | +|macOS
    - 10.15 (Catalina)
    - 10.14 (Mojave)
    - 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).

    For more information, see [Microsoft Defender Advanced Threat Protection for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). | +|Linux:
    - RHEL 7.2+
    - CentOS Linux 7.2+
    - Ubuntu 16 LTS, or higher LTS
    - SLES 12+
    - Debian 9+
    - Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
    `mdatp health --field real_time_protection_enabled`.

    2. Open a Terminal window, and run the following command:
    `curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.

    3. Run the following command to list any detected threats:
    `mdatp threat list`.

    For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). | + +## Uninstall Symantec + +Now that you have onboarded your organization's devices to Microsoft Defender ATP, your next step is to uninstall Symantec. + +1. [Disable Tamper Protection](https://knowledge.broadcom.com/external/article?legacyId=tech192023) in Symantec. + +2. Delete the uninstall password for Symantec: + 1. On your Windows devices, open Registry Editor as an administrator. + 2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC`. + 3. Look for an entry named **SmcInstData**. Right-click the item, and then choose **Delete**. + +3. Remove Symantec from your devices. You can use SEP Manager to perform this task. See [Configuring client packages to uninstall existing security software](https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Managing-a-custom-installation/preparing-for-client-installation-v16742985-d21e7/configuring-client-packages-to-uninstall-existing-v73569396-d21e2634.html). + + +> [!TIP] +> Need help? See the following Broadcom resources: +> - [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html). +> - Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040). +> - macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387). +> - Linux devices: [Frequently Asked Questions for Endpoint Protection for Linux](https://knowledge.broadcom.com/external/article?articleId=162054). + +## Make sure Microsoft Defender ATP is in active mode + +Now that you have uninstalled Symantec, your next step is to make sure that Microsoft Defender Antivirus and endpoint detection and response are enabled and in active mode. + +To do this, visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following: +- Cloud-delivered protection +- Potentially Unwanted Applications (PUA) +- Network Protection (NP) + +## Next steps + +**Congratulations**! You have completed your [migration from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)! + +- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). + +- To learn more about Microsoft Defender ATP and how to configure or adjust various features and capabilities, see [Microsoft Defender ATP documentation](https://docs.microsoft.com/windows/security/threat-protection). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md new file mode 100644 index 0000000000..9e3dbfb67e --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md @@ -0,0 +1,82 @@ +--- +title: Phase 1 - Prepare for your migration to Microsoft Defender ATP +description: Phase 1 of "Make the switch from Symantec to Microsoft Defender ATP". Prepare for your migration. +keywords: migration, windows defender advanced threat protection, atp, edr +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Migrate from Symantec - Phase 1: Prepare for your migration + +:::image type="content" source="images/SymantecMigration-DefenderATP-phase1.png" alt-text="Prepare to migrate"::: + +**Welcome to the Prepare phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. + +This migration phase includes the following steps: +1. [Get Microsoft Defender ATP](#get-microsoft-defender-atp). +2. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center). +3. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings). + +## Get Microsoft Defender ATP + +To get started, you must have Microsoft Defender ATP, with licenses assigned and provisioned. + +1. Buy or try Microsoft Defender ATP today. [Visit Microsoft Defender ATP to start a free trial or request a quote](https://aka.ms/mdatp). + +2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state). + +3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender ATP. See [Microsoft Defender ATP setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration). + +4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender ATP setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration). + +At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). + +> [!NOTE] +> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender ATP portal. + +## Grant access to the Microsoft Defender Security Center + +The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender ATP. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use). + +Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions. + +1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control). + +2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control). + + If your organization requires a method other than Intune, choose one of the following options: + - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration) + - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm) + - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview) + +3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)). + +## Configure device proxy and internet connectivity settings + +To enable communication between your devices and Microsoft Defender ATP, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities: + +|Capabilities | Operating System | Resources | +|--|--|--| +|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
    - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
    - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) | +|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
    - [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
    - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
    - [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
    - [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | +|EDR |macOS:
    - 10.15 (Catalina)
    - 10.14 (Mojave)
    - 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
    - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
    - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
    - [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
    | +|Antivirus |macOS:
    - 10.15 (Catalina)
    - 10.14 (Mojave)
    - 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|Antivirus |Linux:
    - RHEL 7.2+
    - CentOS Linux 7.2+
    - Ubuntu 16 LTS, or higher LTS
    - SLES 12+
    - Debian 9+
    - Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) + +## Next step + +**Congratulations**! You have completed the **Prepare** phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)! + +- [Proceed to set up Microsoft Defender ATP](symantec-to-microsoft-defender-atp-setup.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md new file mode 100644 index 0000000000..9de272158f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md @@ -0,0 +1,204 @@ +--- +title: Phase 2 - Set up Microsoft Defender ATP +description: Phase 2 - Set up Microsoft Defender ATP +keywords: migration, windows defender advanced threat protection, atp, edr +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Migrate from Symantec - Phase 2: Set up Microsoft Defender ATP + +:::image type="content" source="images/SymantecMigration-DefenderATP-phase2.png" alt-text="Phase 2 - Setup"::: + +**Welcome to the Setup phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This phase includes the following steps: +1. [Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)](#enable-or-reinstall-microsoft-defender-antivirus-for-certain-versions-of-windows). +2. [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus). +3. [Add Microsoft Defender ATP to the exclusion list for Symantec](#add-microsoft-defender-atp-to-the-exclusion-list-for-symantec). +4. [Add Symantec to the exclusion list for Microsoft Defender Antivirus](#add-symantec-to-the-exclusion-list-for-microsoft-defender-antivirus). +5. [Add Symantec to the exclusion list for Microsoft Defender ATP](#add-symantec-to-the-exclusion-list-for-microsoft-defender-atp). +6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units). +7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection). + +## Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows) + +> [!TIP] +> If you're running Windows 10, you do not need to perform this task. Proceed to **[Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus)**. + +On certain versions of Windows, Microsoft Defender Antivirus might have been uninstalled or disabled. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as Symantec. To learn more, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). + +Now that you're moving from Symantec to Microsoft Defender ATP, you'll need to enable or reinstall Microsoft Defender Antivirus, and set it to passive mode. + +### Reinstall Microsoft Defender Antivirus on Windows Server + +> [!NOTE] +> The following procedure applies only to endpoints or devices that are running the following versions of Windows: +> - Windows Server 2019 +> - Windows Server, version 1803 (core-only mode) +> - Windows Server 2016 +> +> Microsoft Defender Antivirus is built into Windows 10, but it might be disabled. In this case, proceed to [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus). + +1. As a local administrator on the endpoint or device, open Windows PowerShell. + +2. Run the following PowerShell cmdlets:
    + `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
    + `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
    + +3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
    + `Get-Service -Name windefend` + +> [!TIP] +> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016). + +### Set Microsoft Defender Antivirus to passive mode on Windows Server + +Because your organization is still using Symantec, you must set Microsoft Defender Antivirus to passive mode. That way, Symantec and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender ATP. + +1. Open Registry Editor, and then navigate to
    + `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`. + +2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings: + - Set the DWORD's value to **1**. + - Under **Base**, select **Hexadecimal**. + +> [!NOTE] +> You can use other methods to set the registry key, such as the following: +>- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11)) +>- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool) +>- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs) + +## Enable Microsoft Defender Antivirus + +Because your organization has been using Symantec as your primary antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus. + +To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table: + +|Method |What to do | +|---------|---------| +|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)

    **NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.

    2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).

    3. Select **Properties**, and then select **Configuration settings: Edit**.

    4. Expand **Microsoft Defender Antivirus**.

    5. Enable **Cloud-delivered protection**.

    6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.

    7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.

    8. Select **Review + save**, and then choose **Save**.

    For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).| +|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).

    **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | +|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
    or
    [Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.

    2. Look for a policy called **Turn off Microsoft Defender Antivirus**.

    3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.

    **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | + +### Verify that Microsoft Defender Antivirus is in passive mode + +Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table: + +|Method |What to do | +|---------|---------| +|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.

    2. Type `sc query windefend`, and then press Enter.

    3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | +|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.

    2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus?view=win10-ps) cmdlet.

    3. In the list of results, look for **AntivirusEnabled: True**. | + +> [!NOTE] +> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. + +## Add Microsoft Defender ATP to the exclusion list for Symantec + +This step of the setup process involves adding Microsoft Defender ATP to the exclusion list for Symantec and any other security products your organization is using. The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table: + +|OS |Exclusions | +|--|--| +|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
    - Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
    - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
    - [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`

    `C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`

    `C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`

    `C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
    | +|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
    - [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
    - [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
    - [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
    - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`

    **NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.

    `C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`

    `C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`

    `C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`

    `C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`

    `C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`

    `C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` | + +## Add Symantec to the exclusion list for Microsoft Defender Antivirus + +During this step of the setup process, you add Symantec and your other security solutions to the Microsoft Defender Antivirus exclusion list. + +When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind: +- Path exclusions exclude specific files and whatever those files access. +- Process exclusions exclude whatever a process touches, but does not exclude the process itself. +- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded. +- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.) + +You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table: + +|Method | What to do| +|--|--| +|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)

    **NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.

    2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.

    3. Under **Manage**, select **Properties**.

    4. Select **Configuration settings: Edit**.

    5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.

    6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).

    7. Choose **Review + save**, and then choose **Save**. | +|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.

    2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. | +|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.

    2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.

    3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
    **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.

    4. Double-click the **Path Exclusions** setting and add the exclusions.
    - Set the option to **Enabled**.
    - Under the **Options** section, click **Show...**.
    - Specify each folder on its own line under the **Value name** column.
    - If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.

    5. Click **OK**.

    6. Double-click the **Extension Exclusions** setting and add the exclusions.
    - Set the option to **Enabled**.
    - Under the **Options** section, click **Show...**.
    - Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.

    7. Click **OK**. | +|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.

    2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
    **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.

    3. Specify your path and process exclusions. | +|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.

    2. Import the registry key. Here are two examples:
    - Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
    - Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` | + +## Add Symantec to the exclusion list for Microsoft Defender ATP + +To add exclusions to Microsoft Defender ATP, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files). + +1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in. + +2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**. + +3. On the **File hashes** tab, choose **Add indicator**. + +3. On the **Indicator** tab, specify the following settings: + - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.) + - Under **Expires on (UTC)**, choose **Never**. + +4. On the **Action** tab, specify the following settings: + - **Response Action**: **Allow** + - Title and description + +5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**. + +6. On the **Summary** tab, review the settings, and then click **Save**. + +### Find a file hash using CMPivot + +CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview). + +To use CMPivot to get your file hash, follow these steps: + +1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites). + +2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot). + +3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`). + +4. Select the **Query** tab. + +5. In the **Device Collection** list, and choose **All Systems (default)**. + +6. In the query box, type the following query:
    + +```kusto +File(c:\\windows\\notepad.exe) +| project Hash +``` +> [!NOTE] +> In the query above, replace *notepad.exe* with the your third-party security product process name. + +## Set up your device groups, device collections, and organizational units + +| Collection type | What to do | +|--|--| +|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.

    Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.

    Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).

    2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.

    3. Choose **+ Add device group**.

    4. Specify a name and description for the device group.

    5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).

    6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).

    7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.

    8. Choose **Done**. | +|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.

    Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). | +|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.

    Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). | + +## Configure antimalware policies and real-time protection + +Using Configuration Manager and your device collection(s), configure your antimalware policies. + +- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies). + +- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus). + +> [!TIP] +> You can deploy the policies before your organization's devices on onboarded. + +## Next step + +**Congratulations**! You have completed the Setup phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)! + +- [Proceed to Phase 3: Onboard to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-onboard.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index b738381662..d9ae5aa265 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -27,18 +27,6 @@ ms.topic: article [!include[Prerelease information](../../includes/prerelease.md)] -## APIs - -Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615). -See the following topics for related APIs: - -- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) -- [Machine APIs](machine.md) -- [Recommendation APIs](vulnerability.md) -- [Score APIs](score.md) -- [Software APIs](software.md) -- [Vulnerability APIs](vulnerability.md) - ## Use advanced hunting query to search for devices with High active alerts or critical CVE public exploit 1. Go to **Advanced hunting** from the left-hand navigation pane of the Microsoft Defender Security Center. @@ -62,41 +50,6 @@ DeviceName=any(DeviceName) by DeviceId, AlertId ``` -## Find and remediate software or software versions which have reached end-of-support (EOS) - -End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks. - -It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end of support, and update versions that have reached end of support. It is best to create and implement a plan **before** the end of support dates. - -To find software or software versions which have reached end-of-support: - -1. From the Threat & Vulnerability Management menu, navigate to **Security recommendations**. -2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**. - - ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tag.png) - -3. You will see a list recommendations related to software that is end of support, software versions that are end of support, or upcoming end of support versions. These tags are also visible in the [software inventory](tvm-software-inventory.md) page. - - ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tags-column.png) - -### List of versions and dates - -To view a list of version that have reached end of support, or end or support soon, and those dates, follow the below steps: - -1. For software that has versions which have reached end of support, or will reach end of support soon, a message will appear in the flyout once the security recommendation is selected. - - ![Screenshot of version distribution link](images/eos-upcoming-eos.png) - -2. Select the **version distribution** link to go to the software drill down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support. - - ![Screenshot of version distribution link](images/software-drilldown-eos.png) - -3. Select one of the versions in the table to open. For example, version 10.0.18362.1. A flyout will appear with the end of support date. - - ![Screenshot of version distribution link](images/version-eos-date.png) - -After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details. - ## Related topics - [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) @@ -109,7 +62,7 @@ After you have identified which software and software versions are vulnerable du - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) - [Advanced hunting overview](overview-hunting.md) - [All advanced hunting tables](advanced-hunting-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index 8113dad807..0c1b4cf7e8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -95,5 +95,5 @@ See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-ico - [Weaknesses](tvm-weaknesses.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index 14b1fccf65..8bccc0a7d7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -67,5 +67,5 @@ Lower your threat and vulnerability exposure by remediating [security recommenda - [Weaknesses](tvm-weaknesses.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 45b6383439..9a028202c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -105,5 +105,5 @@ Select **Show exceptions** at the bottom of the **Top security recommendations** - [Weaknesses](tvm-weaknesses.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index fb17d58a4e..69bd6c04dd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -90,9 +90,9 @@ From the flyout, you can do any of the following: - **Open software page** - Open the software page to get more context on the software and how it is distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution. -- **Remediation options** - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address. +- [**Remediation options**](tvm-security-recommendation.md#request-remediation) - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address. -- **Exception options** - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet. +- [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet. >[!NOTE] >When a change is made on a device, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center. @@ -171,6 +171,42 @@ You can report a false positive when you see any vague, inaccurate, incomplete, 4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts. +## Find and remediate software or software versions which have reached end-of-support (EOS) + +End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks. + +It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end of support, and update versions that have reached end of support. It is best to create and implement a plan **before** the end of support dates. + +To find software or software versions which have reached end-of-support: + +1. From the Threat & Vulnerability Management menu, navigate to **Security recommendations**. +2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**. + + ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tag.png) + +3. You will see a list recommendations related to software that is end of support, software versions that are end of support, or upcoming end of support versions. These tags are also visible in the [software inventory](tvm-software-inventory.md) page. + + ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tags-column.png) + +### List of versions and dates + +To view a list of version that have reached end of support, or end or support soon, and those dates, follow the below steps: + +1. For software that has versions which have reached end of support, or will reach end of support soon, a message will appear in the flyout once the security recommendation is selected. + + ![Screenshot of version distribution link](images/eos-upcoming-eos.png) + +2. Select the **version distribution** link to go to the software drill down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support. + + ![Screenshot of version distribution link](images/software-drilldown-eos.png) + +3. Select one of the versions in the table to open. For example, version 10.0.18362.1. A flyout will appear with the end of support date. + + ![Screenshot of version distribution link](images/version-eos-date.png) + +After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. + + ## Related topics - [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) @@ -183,5 +219,5 @@ You can report a false positive when you see any vague, inaccurate, incomplete, - [Weaknesses](tvm-weaknesses.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index 22a1dd3cf5..645cd0f01c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -92,5 +92,5 @@ You can report a false positive when you see any vague, inaccurate version, inco - [Weaknesses](tvm-weaknesses.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md index 0c654fd804..79a095f15f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md @@ -53,5 +53,5 @@ Some of the above prerequisites might be different from the [Minimum requirement - [Weaknesses](tvm-weaknesses.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index afeab8d973..6811d01917 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -133,5 +133,5 @@ You can report a false positive when you see any vague, inaccurate, incomplete, - [Software inventory](tvm-software-inventory.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md index 60760b7cac..4f0891df0c 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md @@ -33,27 +33,29 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor Description +Windows 10, version 2004:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

    Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

    Windows 10, Version 1607 and earlier:
    Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen At least Windows Server 2012, Windows 8 or Windows RT This policy setting turns on Microsoft Defender SmartScreen.

    If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).

    If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

    If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen. -Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control -Windows 10, version 1703 +Windows 10, version 2004:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control +Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control +Windows 10, version 1703 This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

    This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

    Important: Using a trustworthy browser helps ensure that these protections work as expected.

    -Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

    Windows 10, Version 1607 and earlier:
    Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen +Windows 10, version 2004:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

    Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

    Windows 10, Version 1607 and earlier:
    Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen Microsoft Edge on Windows 10 or later This policy setting turns on Microsoft Defender SmartScreen.

    If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.

    If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

    If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen. -Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

    Windows 10, Version 1511 and 1607:
    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files +Windows 10, version 2004:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

    Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

    Windows 10, Version 1511 and 1607:
    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files Microsoft Edge on Windows 10, version 1511 or later This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.

    If you enable this setting, it stops employees from bypassing the warning, stopping the file download.

    If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files. -Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

    Windows 10, Version 1511 and 1607:
    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites +Windows 10, version 2004:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

    Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

    Windows 10, Version 1511 and 1607:
    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites Microsoft Edge on Windows 10, version 1511 or later This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.

    If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.

    If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md index 6660f7a19e..d58e9bcde6 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md @@ -22,7 +22,10 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Require smart card** security policy setting. +Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require smart card** security policy setting. + +> [!NOTE] +> You may need to download the ADMX template for your version of Windows to enable this policy to be applied. ## Reference diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md index 99be4872aa..489cb3373f 100644 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -150,7 +150,7 @@ Windows Sandbox also has improved accessibility in this release, including: With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM's memory could grow, but would not shrink when no longer needed. -[WSL2](https://docs.microsoft.com/windows/wsl/wsl2-index) support is has been added for ARM64 devices if your device supports virtualization. +[WSL2](https://docs.microsoft.com/windows/wsl/wsl2-index) support has been added for ARM64 devices if your device supports virtualization. For a full list of updates to WSL, see the [WSL release notes](https://docs.microsoft.com/windows/wsl/release-notes).