deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 22:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into vsts17425031

Browse Source
This commit is contained in:
Justin Hall
2018-05-23 15:48:56 -07:00
parent 0284d34c57 82bbae2945
commit 3c27853bb9
62 changed files with 944 additions and 801 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: brianlic-msft
ms.date: 01/12/2018
ms.date: 05/18/2018
---
# Manage Windows Defender Credential Guard
@ -140,7 +140,7 @@ For client machines that are running Windows 10 1703, LsaIso.exe is running when
## Disable Windows Defender Credential Guard
If you have to disable Windows Defender Credential Guard on a PC, you can use the following set of procedures, or you can [use the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
To disable Windows Defender Credential Guard, you can use the following set of procedures or [the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). If Credential Guard was enabled with UEFI Lock then you must use the following procedure as the settings are persisted in EFI (firmware) variables and it will require physical presence at the machine to press a function key to accept the change. If Credential Guard was enabled without UEFI Lock then you can turn it off by using Group Policy.
1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**).
2. Delete the following registry settings:

BIN
windows/security/identity-protection/vpn/images/custom-vpn-profile.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 81 KiB

After

Width:  |  Height:  |  Size: 117 KiB

37
windows/security/identity-protection/vpn/vpn-profile-options.md
View File

@ -297,29 +297,20 @@ The following is a sample plug-in VPN profile. This blob would fall under the Pr
After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy.
1. Sign into the [Azure portal](https://portal.azure.com).
2. Click **Intune** > **Device Configuration** > **Profiles**.
3. Click **Create Profile**.
4. Enter a name and (optionally) a description.
5. Choose **Windows 10 and later** as the platform.
6. Choose **Custom** as the profile type.
7. Click **Add**.
8. Configure the custom setting:
a. Enter a name and (optionally) a description.
b. Enter the OMA-URI: **./user/vendor/MSFT/_VPN profile name_/ProfileXML**.
c. Set Data type to **String (XML file)**.
d. Upload the file with the profile XML.
e. Click **OK**.
![Custom VPN Profile](images/custom-vpn-profile.png)
9. Click **OK**, then click **Create**.
10. Assign the profile.
1. Sign into the [Azure portal](https://portal.azure.com).
2. Go to **Intune** > **Device Configuration** > **Properties**.
3. Click **Create Profile**.
4. Enter a name and (optionally) a description.
5. Choose **Windows 10 and later** as the platform.
6. Choose **Custom** as the profile type and click **Add**.
8. Enter a name and (optionally) a description.
9. Enter the OMA-URI **./user/vendor/MSFT/_VPN profile name_/ProfileXML**.
10. Set Data type to **String (XML file)**.
11. Upload the profile XML file.
12. Click **OK**.
![Custom VPN profile](images/custom-vpn-profile.png)
13. Click **OK**, then **Create**.
14. Assign the profile.
## Learn more

4
windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 05/21/2018
---
# Deploy, manage, and report on Windows Defender Antivirus
@ -47,7 +47,7 @@ PowerShell|Deploy with Group Policy, System Center Configuration Manager, or man
Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager 2016 and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager 2016. See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
2. <span id="fn2" />In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2)

4
windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/21/2018
---
# Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection
@ -63,7 +63,7 @@ Organizations running Windows 10 E5, version 1803 can also take advantage of eme
The following table describes the differences in cloud-delivered protection between recent versions of Windows and System Center Configuration Manager.
Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | Configuration manager 2012 | Configuration manager (current branch) | Microsoft Intune
Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center Configuration Manager 2012 | System Center Configuration Manager (Current Branch) | Microsoft Intune
---|---|---|---|---|---|---
Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service
Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version

2
windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
View File

@ -42,6 +42,7 @@ Use the following table to understand what the columns represent, its data type,
| AdditionalFields | string | Additional information about the event in JSON array format. |
| AlertId | string | Unique identifier for the alert. |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine. |
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. |
| EventId | int | Unique identifier used by Event Tracing for Windows (ETW) for the event type. |
| EventTime | datetime | Date and time when the event was recorded. |
| EventType | string | Table where the record is stored. |
@ -53,6 +54,7 @@ Use the following table to understand what the columns represent, its data type,
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event. |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event. |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event. |
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event. |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started. |
| InitiatingProcessFileName | string | Name of the process that initiated the event. |

4
windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 05/08/2018
ms.date: 05/21/2018
---
# Use Automated investigations to investigate and remediate threats
@ -117,7 +117,7 @@ Status | Description
| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. |
| Running | Investigation ongoing. Malicious entities found will be remediated. |
| Remediated | Malicious entities found were successfully remediated. |
| Terminated by system | Investigation was stopped due to <reason>. |
| Terminated by system | Investigation was stopped by the system. |
| Terminated by user | A user stopped the investigation before it could complete.
| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |

68
windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -38,68 +38,26 @@ For more information on enabling MDM with Microsoft Intune, see [Setup Windows D
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher
### Use the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
1. Login to the [Microsoft Azure portal](https://portal.azure.com).
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
2. Select **Device Configuration > Profiles > Create profile**.
b. Select Windows 10 as the operating system.
3. Enter a **Name** and **Description**.
c. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
d. Click **Download package**, and save the .zip file.
4. For **Platform**, select **Windows 10 and later**.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
5. For **Profile type**, select **Windows Defender ATP (Windows 10 Desktop)**.
3. Login to the [Microsoft Azure portal](https://portal.azure.com).
6. Configure the settings:
- **Onboard Configuration Package**: Browse and select the **WindowsDefenderATP.onboarding** file you downloaded. This file enables a setting so devices can report to the Windows Defender ATP service.
- **Sample sharing for all files**: Allows samples to be collected, and shared with Windows Defender ATP. For example, if you see a suspicious file, you can submit it to Windows Defender ATP for deep analysis.
- **Expedite telemetry reporting frequency**: For devices that are at high risk, enable this setting so it reports telemetry to the Windows Defender ATP service more frequently.
- **Offboard Configuration Package**: If you want to remove Windows Defender ATP monitoring, you can download an offboarding package from the Windows Defender ATP portal, and add it. Otherwise, skip this property.
7. Select **OK**, and **Create** to save your changes, which creates the profile.
4. From the Intune blade, choose **Device configuration**.
![Image of device configuration menu in Microsoft Azure](images/atp-azure-intune-device-config.png)
5. Under **Manage**, choose **Profiles** and click **Create Profile**.
![Image of policy creation in Azure](images/atp-azure-intune-create-profile.png)
6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type.
![Image of naming a policy](images/atp-intune-custom.png)
7. Click **Settings** > **Configure**.
![Image of settings](images/atp-intune-configure.png)
8. Under Custom OMA-URI Settings, click **Add**.
![Image of configuration settings](images/atp-custom-oma-uri.png)
9. Enter the following values, then click **OK**.
![Image of profile creation](images/atp-oma-uri-values.png)
- **Name**: Type a name for the setting.
- **Description**: Type a description for the setting.
- **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_
- **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded.
10. Save the settings by clicking **OK**.
11. Click **Create**.
![Image of the policy being created](images/atp-intune-create-policy.png)
12. To deploy the Profile, click **Assignments**.
![Image of groups](images/atp-intune-assignments.png)
13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**.
![Image of groups](images/atp-intune-group.png)
14. Click **Save** to finish deploying the Configuration Profile.
![Image of deployment](images/atp-intune-save-deployment.png)
### Onboard and monitor machines using the classic Intune console

6
windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/21/2018
---
@ -63,11 +63,9 @@ Exploit protection works best with [Windows Defender Advanced Threat Protection]
## Requirements
Exploit protection requires Windows 10 Enterprise E3 and Windows Defender AV real-time protection.
Windows 10 version | Windows Defender Advanced Threat Protection
-|-
Windows 10 version 1709 or later | For full reporting you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
Windows 10 version 1709 or later | For full reporting, you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
## Review Exploit protection events in Windows Event Viewer