From bdd52aab30e1ff2822a438468344637389a6c5fb Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:01:32 -0800 Subject: [PATCH 01/16] Update configure-microsoft-defender-antivirus-features.md --- .../configure-microsoft-defender-antivirus-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md index a3d582510d..383dce56d6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 11/18/2020 ms.reviewer: manager: dansimp --- From 5f8681b6f29617b0270343fe18e2773d0bf65d93 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:05:50 -0800 Subject: [PATCH 02/16] Update configure-microsoft-defender-antivirus-features.md --- ...e-microsoft-defender-antivirus-features.md | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md index 383dce56d6..91b4bdb5bd 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md @@ -37,15 +37,17 @@ The following broad categories of features can be configured: - Cloud-delivered protection - Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection -- How end-users interact with the client on individual endpoints +- How end users interact with the client on individual endpoints -The topics in this section describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). +The following articles describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). -You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help. -## In this section -Topic | Description -:---|:--- -[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection -[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection -[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)|Configure how end-users interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings +|Article |Description | +|---------|---------| +|[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Use cloud-delivered protection for advanced, fast, robust antivirus detection. | +|[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) |Enable behavior-based, heuristic, and real-time antivirus protection. | +|[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) | Configure how end users in your organization interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings. | + +> [!TIP] +> You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help. + From f4f111298f872493993a18d5a55a6b9fb44da77a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:07:09 -0800 Subject: [PATCH 03/16] Update configure-microsoft-defender-antivirus-features.md --- .../configure-microsoft-defender-antivirus-features.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md index 91b4bdb5bd..fd9d16d4b6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md @@ -39,8 +39,7 @@ The following broad categories of features can be configured: - Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection - How end users interact with the client on individual endpoints -The following articles describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). - +The following articles describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each article includes instructions for the applicable configuration tool (or tools). |Article |Description | |---------|---------| From c99aaeaef18a6d9a1fafc0926d4f4337d1a7dfea Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:10:46 -0800 Subject: [PATCH 04/16] Update configure-network-connections-microsoft-defender-antivirus.md --- ...etwork-connections-microsoft-defender-antivirus.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md index 8ee17ca054..1be93dc8a6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 07/08/2020 +ms.date: 11/18/2020 ms.reviewer: manager: dansimp --- @@ -62,7 +62,7 @@ The table below lists the services and their associated URLs. Make sure that the | Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`ussas1eastprod.blob.core.windows.net`
`ussas1southeastprod.blob.core.windows.net`
`ussau1eastprod.blob.core.windows.net`
`ussau1southeastprod.blob.core.windows.net` | | Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `http://www.microsoft.com/pkiops/crl/`
`http://www.microsoft.com/pkiops/certs`
`http://crl.microsoft.com/pki/crl/products`
`http://www.microsoft.com/pki/certs` | | Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | -| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`| +| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes | The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`| ## Validate connections between your network and the cloud @@ -85,8 +85,7 @@ For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun You can download a sample file that Microsoft Defender Antivirus will detect and block if you are properly connected to the cloud. -Download the file by visiting the following link: -- https://aka.ms/ioavtest +Download the file by visiting [https://aka.ms/ioavtest](https://aka.ms/ioavtest). >[!NOTE] >This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud. @@ -105,11 +104,11 @@ You will also see a detection under **Quarantined threats** in the **Scan histor 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: ![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png) -3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware. +3. Under the **Quarantined threats** section, select **See full history** to see the detected fake malware. > [!NOTE] > Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md). From a6e114417672f424ef360524007248e97541b7d4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:27:06 -0800 Subject: [PATCH 05/16] Update configure-process-opened-file-exclusions-microsoft-defender-antivirus.md --- ...exclusions-microsoft-defender-antivirus.md | 54 ++++++++----------- 1 file changed, 21 insertions(+), 33 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index 95de8ec073..8b00cfd083 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -26,15 +26,16 @@ manager: dansimp You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. -This topic describes how to configure exclusion lists for the following: +This article describes how to configure exclusion lists. - +## Examples of exclusions + +|Exclusion | Example | +|---|---| +|Any file on the machine that is opened by any process with a specific file name | Specifying `test.exe` would exclude files opened by:
`c:\sample\test.exe`
`d:\internal\files\test.exe` | +|Any file on the machine that is opened by any process under a specific folder | Specifying `c:\test\sample\*` would exclude files opened by:
`c:\test\sample\test.exe`
`c:\test\sample\test2.exe`
`c:\test\sample\utility.exe` | +|Any file on the machine that is opened by a specific process in a specific folder | Specifying `c:\test\process.exe` would exclude files only opened by `c:\test\process.exe` | -Exclusion | Example ----|--- -Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by:
  • c:\sample\test.exe
  • d:\internal\files\test.exe
-Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:
  • c:\test\sample\test.exe
  • c:\test\sample\test2.exe
  • c:\test\sample\utility.exe
-Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md). @@ -46,14 +47,12 @@ You can add, remove, and review the lists for exclusions in [Group Policy](#gp), You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. -By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. +By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. ## Configure the list of exclusions for files opened by specified processes - - ### Use Microsoft Intune to exclude files that have been opened by specified processes from scans See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. @@ -80,8 +79,6 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// ![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png) - - ### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). @@ -94,11 +91,11 @@ The format for the cmdlets is: The following are allowed as the \: -Configuration action | PowerShell cmdlet ----|--- -Create or overwrite the list | `Set-MpPreference` -Add to the list | `Add-MpPreference` -Remove items from the list | `Remove-MpPreference` +|Configuration action | PowerShell cmdlet | +|---|---| +|Create or overwrite the list | `Set-MpPreference` | +|Add to the list | `Add-MpPreference` | +|Remove items from the list | `Remove-MpPreference` | >[!IMPORTANT] >If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. @@ -109,7 +106,7 @@ For example, the following code snippet would cause Microsoft Defender AV scans Add-MpPreference -ExclusionProcess "c:\internal\test.exe" ``` -See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Microsoft Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. +For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Microsoft Defender Antivirus.md) and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve=true). ### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans @@ -121,33 +118,24 @@ ExclusionProcess The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. -See the following for more information and allowed parameters: - -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - - +For more information and allowed parameters, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx). ### Use the Windows Security app to exclude files that have been opened by specified processes from scans See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions) for instructions. - - ## Use wildcards in the process exclusion list The use of wildcards in the process exclusion list is different from their use in other exclusion lists. -In particular, you cannot use the question mark ? wildcard, and the asterisk \* wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list. +In particular, you cannot use the question mark (`?`) wildcard, and the asterisk (`*`) wildcard can only be used at the end of a complete path. You can still use environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the process exclusion list. The following table describes how the wildcards can be used in the process exclusion list: -Wildcard | Use | Example use | Example matches ----|---|---|--- -\* (asterisk) | Replaces any number of characters |
  • C:\MyData\\*
|
  • Any file opened by C:\MyData\file.exe
-? (question mark) | Not available | \- | \- -Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
|
  • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
- - +|Wildcard | Example use | Example matches | +|:---|:---|:---| +|`*` (asterisk)

Replaces any number of characters | `C:\MyData\*` | Any file opened by `C:\MyData\file.exe` | +|Environment variables

The defined variable is populated as a path when the exclusion is evaluated | `%ALLUSERSPROFILE%\CustomLogFiles\file.exe` | Any file opened by `C:\ProgramData\CustomLogFiles\file.exe` | ## Review the list of exclusions From ebb7a832fc41c69474297942f5d4254dafceea38 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:28:33 -0800 Subject: [PATCH 06/16] Update deployment-vdi-microsoft-defender-antivirus.md --- .../deployment-vdi-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index 8139e27e9a..d799ae7d2e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -10,7 +10,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 01/31/2020 +ms.date: 11/18/2020 ms.reviewer: manager: dansimp --- From 07b2b44a207c34ac121cf02039e697685b05a083 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:29:36 -0800 Subject: [PATCH 07/16] Update deployment-vdi-microsoft-defender-antivirus.md --- .../deployment-vdi-microsoft-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index d799ae7d2e..81e984fa4a 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -28,7 +28,7 @@ In addition to standard on-premises or hardware configurations, you can also use See [Windows Virtual Desktop Documentation](https://docs.microsoft.com/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support. -For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection) topic. +For Azure-based virtual machines, see [Install Endpoint Protection in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection). With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it's turned on. @@ -49,7 +49,7 @@ You can also download the whitepaper [Microsoft Defender Antivirus on Virtual De ## Set up a dedicated VDI file share -In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine — thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with a Group Policy, or PowerShell. +In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine—thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with a Group Policy, or PowerShell. ### Use Group Policy to enable the shared security intelligence feature: From 97e4d4c368a1b39c197fd002f5f73f093b5e4950 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:32:16 -0800 Subject: [PATCH 08/16] Update deployment-vdi-microsoft-defender-antivirus.md --- .../deployment-vdi-microsoft-defender-antivirus.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index 81e984fa4a..e135754b51 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -63,7 +63,7 @@ In Windows 10, version 1903, we introduced the shared security intelligence feat 5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears. -6. Enter `\\\wdav-update` (for what this will be, see [Download and unpackage](#download-and-unpackage-the-latest-updates)). +6. Enter `\\\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)). 7. Click **OK**. @@ -81,7 +81,7 @@ See the [Download and unpackage](#download-and-unpackage-the-latest-updates) sec ## Download and unpackage the latest updates -Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those). +Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts). ```PowerShell $vdmpathbase = 'c:\wdav-update\{00000000-0000-0000-0000-' @@ -98,7 +98,7 @@ cmd /c "cd $vdmpath & c: & mpam-fe.exe /x" ``` You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update. -We suggest starting with once a day — but you should experiment with increasing or decreasing the frequency to understand the impact. +We suggest starting with once a day—but you should experiment with increasing or decreasing the frequency to understand the impact. Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isn’t advised because it will increase the network overhead on your management machine for no benefit. @@ -106,13 +106,13 @@ Security intelligence packages are typically published once every three to four 1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel. -2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Click **New…** Select **Daily** and click **OK**. +2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Select **New…** > **Daily**, and select **OK**. -3. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Click **OK**. +3. Go to the **Actions** tab. Select **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Select **OK**. 4. You can choose to configure additional settings if you wish. -5. Click **OK** to save the scheduled task. +5. Select **OK** to save the scheduled task. You can initiate the update manually by right-clicking on the task and clicking **Run**. From 1f325f118d6783836b7e625ad53d9a5ac66bfe13 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:32:49 -0800 Subject: [PATCH 09/16] Update deployment-vdi-microsoft-defender-antivirus.md --- .../deployment-vdi-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index e135754b51..76394d2a43 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -118,7 +118,7 @@ You can initiate the update manually by right-clicking on the task and clicking ### Download and unpackage manually -If you would prefer to do everything manually, this what you would need to do to replicate the script’s behavior: +If you would prefer to do everything manually, here's what to do to replicate the script’s behavior: 1. Create a new folder on the system root called `wdav_update` to store intelligence updates, for example, create the folder `c:\wdav_update`. From bab2ae97aa1932804ac19bbbbb522b643460192e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:52:54 -0800 Subject: [PATCH 10/16] Update deployment-vdi-microsoft-defender-antivirus.md --- ...oyment-vdi-microsoft-defender-antivirus.md | 39 ++++++++++++------- 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index 76394d2a43..53d4a57daf 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen ms.date: 11/18/2020 -ms.reviewer: +ms.reviewer: jesquive manager: dansimp --- @@ -122,7 +122,9 @@ If you would prefer to do everything manually, here's what to do to replicate th 1. Create a new folder on the system root called `wdav_update` to store intelligence updates, for example, create the folder `c:\wdav_update`. -2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`; for example `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`. +2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}` + +Here's an example: `c:\wdav_update\{00000000-0000-0000-0000-000000000000}` > [!NOTE] > In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time. @@ -138,32 +140,43 @@ If you would prefer to do everything manually, here's what to do to replicate th Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md). -The start time of the scan itself is still based on the scheduled scan policy — ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Microsoft Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan. +The start time of the scan itself is still based on the scheduled scan policy (**ScheduleDay**, **ScheduleTime**, and **ScheduleQuickScanTime**). Randomization will cause Microsoft Defender Antivirus to start a scan on each machine within a 4-hour window from the time set for the scheduled scan. See [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) for other configuration options available for scheduled scans. ## Use quick scans -You can specify the type of scan that should be performed during a scheduled scan. -Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. +You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. The following procedure describes how to set up quick scans using Group Policy. -1. Expand the tree to **Windows components > Windows Defender > Scan**. +1. In your Group Policy Editor, go to **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus** > **Scan**. -2. Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**. +2. Select **Specify the scan type to use for a scheduled scan** and then edit the policy setting. -3. Click **OK**. +3. Set the policy to **Enabled**, and then under **Options**, select **Quick scan**. + +4. Select **OK**. + +5. Deploy your Group Policy object as you usually do. ## Prevent notifications -Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Microsoft Defender Antivirus user interface. +Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can lock down the Microsoft Defender Antivirus user interface. The following procedure describes how to suppress notifications with Group Policy. -1. Expand the tree to **Windows components > Windows Defender > Client Interface**. +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**. -2. Double-click **Suppress all notifications** and set the option to **Enabled**. +2. Select **Suppress all notifications** and then edit the policy settings. -3. Click **OK**. +3. Set the policy to **Enabled**, and then select **OK**. -This prevents notifications from Microsoft Defender AV appearing in the action center on Windows 10 when scans or remediation is performed. +4. Deploy your Group Policy object as you usually do. + +Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up in the Action Center on Windows 10 when scans are done or remediation actions are taken. However, your security operations team will see the results of the scan in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). + +> [!TIP] +> To open the Action Center on Windows 10, take one of the following steps: +> - On the right end of the taskbar, select the Action Center icon. +> - Press the Windows logo key button + A. +> - On a touchscreen device, swipe in from the right edge of the screen. ## Disable scans after an update From 74736769a503f0d018b6cd48203c09a5b680f204 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:53:57 -0800 Subject: [PATCH 11/16] Update deployment-vdi-microsoft-defender-antivirus.md --- .../deployment-vdi-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index 53d4a57daf..4233121080 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -185,7 +185,7 @@ This setting will prevent a scan from occurring after receiving an update. You c > [!IMPORTANT] > Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image. -1. Expand the tree to **Windows components > Windows Defender > Signature Updates**. +1. Expand the tree to **Windows components** > **Windows Defender** > **Signature Updates**. 2. Double-click **Turn on scan after signature update** and set the option to **Disabled**. From 0b93827584f1975210e8f1f608c5342fe162cc30 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 16:07:09 -0800 Subject: [PATCH 12/16] Update configure-process-opened-file-exclusions-microsoft-defender-antivirus.md --- ...ess-opened-file-exclusions-microsoft-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index 8b00cfd083..c9663557f9 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -43,9 +43,9 @@ The exclusions only apply to [always-on real-time protection and monitoring](con Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists. -You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. +You can add, remove, and review the lists for exclusions in Group Policy, Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists. -You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. +You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists. By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. From d189183c96745e9b124274024cda72f175b9ae37 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 16:08:36 -0800 Subject: [PATCH 13/16] Update deployment-vdi-microsoft-defender-antivirus.md --- .../deployment-vdi-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index 4233121080..4bad0e3733 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -180,7 +180,7 @@ Suppressing notifications prevents notifications from Microsoft Defender Antivir ## Disable scans after an update -This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). +Disabling a scan after an update will prevent a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). > [!IMPORTANT] > Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image. From 4660b238059867db435d359bac4cd0ddea310288 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 16:30:47 -0800 Subject: [PATCH 14/16] fixes --- ...exclusions-microsoft-defender-antivirus.md | 2 +- ...oyment-vdi-microsoft-defender-antivirus.md | 24 ++++++++++++------- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index c9663557f9..81cb5deeec 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -73,7 +73,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// 1. Set the option to **Enabled**. 2. Under the **Options** section, click **Show...**. - 3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes. + 3. Enter each process on its own line under the **Value name** column. See the example table for the different types of process exclusions. Enter **0** in the **Value** column for all processes. 5. Click **OK**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index 4bad0e3733..bbb87abdc3 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -185,23 +185,31 @@ Disabling a scan after an update will prevent a scan from occurring after receiv > [!IMPORTANT] > Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image. -1. Expand the tree to **Windows components** > **Windows Defender** > **Signature Updates**. +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**. -2. Double-click **Turn on scan after signature update** and set the option to **Disabled**. +2. Select **Turn on scan after security intelligence update** and then edit the policy setting. -3. Click **OK**. +3. Set the policy to **Disabled**. -This prevents a scan from running immediately after an update. +4. Select **OK**. + +5. Deploy your Group Policy object as you usually do. + +This policy prevents a scan from running immediately after an update. ## Scan VMs that have been offline -1. Expand the tree to **Windows components > Windows Defender > Scan**. +1. In your Group Policy Editor, go to to **Windows components** > **Microsoft Defender Antivirus** > **Scan**. -2. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. +2. Select **Turn on catch-up quick scan** and then edit the policy setting. -3. Click **OK**. +3. Set the policy to **Enabled**. -This forces a scan if the VM has missed two or more consecutive scheduled scans. +4. Select **OK**. + +5. Deploy your Group Policy Object as you usually do. + +This policy forces a scan if the VM has missed two or more consecutive scheduled scans. ## Enable headless UI mode From 807b8fc534933e132b84925cbb0c10491e990f18 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 17:00:36 -0800 Subject: [PATCH 15/16] Update deployment-vdi-microsoft-defender-antivirus.md --- ...eployment-vdi-microsoft-defender-antivirus.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index bbb87abdc3..a7990f4bca 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -213,20 +213,26 @@ This policy forces a scan if the VM has missed two or more consecutive scheduled ## Enable headless UI mode -1. Double-click **Enable headless UI mode** and set the option to **Enabled**. +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**. -2. Click **OK**. +2. Select **Enable headless UI mode** and edit the policy. -This hides the entire Microsoft Defender AV user interface from users. +3. Set the policy to **Enabled**. + +4. Click **OK**. + +5. Deploy your Group Policy Object as you usually do. + +This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization. ## Exclusions Exclusions can be added, removed, or customized to suit your needs. -For more details, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md). +For more information, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md). ## Additional resources -- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( https://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s) +- [Tech Community Blog: Configuring Microsoft Defender Antivirus for non-persistent VDI machines](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/configuring-microsoft-defender-antivirus-for-non-persistent-vdi/ba-p/1489633) - [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS) - [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4) From a446f2ccf637ae28b1d6863aa577a0eb441a2c72 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 17:01:52 -0800 Subject: [PATCH 16/16] Update configure-process-opened-file-exclusions-microsoft-defender-antivirus.md --- ...ocess-opened-file-exclusions-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index 81cb5deeec..725634e323 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -106,7 +106,7 @@ For example, the following code snippet would cause Microsoft Defender AV scans Add-MpPreference -ExclusionProcess "c:\internal\test.exe" ``` -For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Microsoft Defender Antivirus.md) and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve=true). +For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve=true). ### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans