diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index a17307dcf4..3b8c2ce3db 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1502,6 +1502,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview", "redirect_document_id": true diff --git a/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md b/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md index 0031c6792e..7adcb24c17 100644 --- a/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md +++ b/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md @@ -9,7 +9,7 @@ ms.reviewer: ramakoni, DEV_Triage ms.prod: internet-explorer ms.technology: ms.topic: kb-support -ms.custom: CI=111020 +ms.custom: CI=111026 ms.localizationpriority: Normal # localization_priority: medium # ms.translationtype: MT @@ -71,10 +71,18 @@ The batch file offers the following options: **Contents of the batch file** -```console +```dos @echo off -:: AxelR Test Batch -:: tested on Windows 8 + IE10, Windows7 + IE9 +# This sample script is not supported under any Microsoft standard support program or service. +# The sample script is provided AS IS without warranty of any kind. Microsoft further disclaims +# all implied warranties including, without limitation, any implied warranties of merchantability +# or of fitness for a particular purpose. The entire risk arising out of the use or performance of +# the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, +# or anyone else involved in the creation, production, or delivery of the scripts be liable for any +# damages whatsoever (including, without limitation, damages for loss of business profits, business +# interruption, loss of business information, or other pecuniary loss) arising out of the use of or +# inability to use the sample scripts or documentation, even if Microsoft has been advised of the +# possibility of such damages :home cls @@ -83,55 +91,33 @@ echo Delete IE History echo Please select the task you wish to run. echo Pick one: echo. -echo 1. Delete Non-trusted web History(low level hidden clean up) -echo 2. Delete History -echo 3. Delete Cookies -echo 4. Delete Temporary Internet Files -echo 5. Delete Form Data -echo 6. Delete Stored Passwords -echo 7. Delete All -echo 8. Delete All "Also delete files and settings stored by add-ons" -echo 9. Delete IE10 and 9 Temporary Internet Files -echo 10. Reset IE Settings -echo 77. EXIT +echo 1. Delete History +echo 2. Delete Cookies +echo 3. Delete Temporary Internet Files +echo 4. Delete Form Data +echo 5. Delete Stored Passwords +echo 6. Delete All +echo 7. Delete All "Also delete files and settings stored by add-ons" +echo 8. Delete IE10 and 9 Temporary Internet Files +echo 9. Reset IE Settings +echo 00. EXIT :choice Echo Hit a number [1-10] and press enter. set /P CH=[1-10] -if "%CH%"=="1" set x=del /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low\* /ah -if "%CH%"=="2" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1 -if "%CH%"=="3" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2 -if "%CH%"=="4" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8 -if "%CH%"=="5" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16 -if "%CH%"=="6" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32 -if "%CH%"=="7" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255 -if "%CH%"=="8" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351 -if "%CH%"=="9" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 9 -if "%CH%"=="10" set x=rundll32.exe inetcpl.cpl ResetIEtoDefaults -if "%CH%"=="77" goto quit +if "%CH%"=="1" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1 +if "%CH%"=="2" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2 +if "%CH%"=="3" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8 +if "%CH%"=="4" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16 +if "%CH%"=="5" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32 +if "%CH%"=="6" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255 +if "%CH%"=="7" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351 +if "%CH%"=="8" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 9 +if "%CH%"=="9" set x=rundll32.exe inetcpl.cpl ResetIEtoDefaults +if "%CH%"=="00" goto quit %x% -goto Home - -::Temporary Internet Files > Delete files - To delete copies of web pages, images, and media -::that are saved for faster viewing. -::Cookies > Delete cookies - To delete cookies, which are files that are stored on your computer by -::websites to save preferences such as login information. -::History > Delete history - To delete the history of the websites you have visited. -::Form data > Delete forms - To delete all the saved information that you have typed into -::forms. -::Passwords > Delete passwords - To delete all the passwords that are automatically filled in -::when you log on to a website that you've previously visited. -::Delete all - To delete all of these listed items in one operation. - -::enter below in search/run to see Low history dir if exists -::C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low - -::Delete all low (untrusted history) very hidden -::this will clean any unlocked files under the dir and not delete the dir structure -::del /s /q low\* /ah ::del /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low\* /ah - goto Home :quit ``` diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 4decd51404..330bc3286e 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -65,7 +65,9 @@ ## [Frequently asked security questions](hololens-faq-security.md) ## [Status of the HoloLens services](hololens-status.md) ## [Get support](https://support.microsoft.com/supportforbusiness/productselection?sapid=3ec35c62-022f-466b-3a1e-dbbb7b9a55fb) -## [SCEP whitepaper](scep-whitepaper.md) + +# Resources +## [Windows Autopilot for HoloLens 2 evaluation guide](hololens2-autopilot.md) # [HoloLens release notes](hololens-release-notes.md) # [Give us feedback](hololens-feedback.md) diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md index 4b3449e838..9a1b48b3eb 100644 --- a/devices/hololens/change-history-hololens.md +++ b/devices/hololens/change-history-hololens.md @@ -1,7 +1,7 @@ --- title: Change history for Microsoft HoloLens documentation ms.reviewer: -manager: dansimp +manager: laurawi description: This topic lists new and updated topics for HoloLens. keywords: change history ms.prod: hololens diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index a19c9d48cf..89a01c0628 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -30,7 +30,7 @@ This article teaches you how to control HoloLens and your holographic world with ## Built-in voice commands -Get around HoloLens faster with these basic commands. In order to use these you need to enable Speech during first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of Start menu. +Get around HoloLens faster with these basic commands. In order to use these, you need to enable Speech during the first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of the Start menu. For the best speech recognition results, HoloLens 2 uses the Microsoft cloud-based services. However, you can use Settings to disable this feature. To do this, in Settings, turn off **Online speech recognition**. After you change this setting, HoloLens 2 will only process voice data locally to recognize commands and dictation, and Cortana will not be available. ### General speech commands diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md index af44d41fb3..6b2cfb74bc 100644 --- a/devices/hololens/hololens-encryption.md +++ b/devices/hololens/hololens-encryption.md @@ -10,7 +10,7 @@ ms.topic: article ms.localizationpriority: medium ms.date: 01/26/2019 ms.reviewer: -manager: dansimp +manager: laurawi appliesto: - HoloLens (1st gen) --- diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md index c8b54ac1f2..bce3d27644 100644 --- a/devices/hololens/hololens-enroll-mdm.md +++ b/devices/hololens/hololens-enroll-mdm.md @@ -10,7 +10,7 @@ ms.topic: article ms.localizationpriority: medium ms.date: 07/15/2019 ms.reviewer: -manager: dansimp +manager: laurawi appliesto: - HoloLens (1st gen) - HoloLens 2 diff --git a/devices/hololens/hololens-faq-security.md b/devices/hololens/hololens-faq-security.md index 78dacbb581..85f66c8318 100644 --- a/devices/hololens/hololens-faq-security.md +++ b/devices/hololens/hololens-faq-security.md @@ -73,8 +73,6 @@ appliesto: 1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client. 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices. -1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** - 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. ## HoloLens 2nd Gen Security Questions @@ -125,5 +123,3 @@ appliesto: 1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client. 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices. -1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** - 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index 68262afb5b..60ac0094b5 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -13,7 +13,7 @@ ms.localizationpriority: medium audience: ITPro ms.date: 1/6/2020 ms.reviewer: -manager: dansimp +manager: laurawi appliesto: - HoloLens 2 --- diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index aab93e1b8a..2043128011 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -12,7 +12,7 @@ ms.custom: - CI 111456 - CSSTroubleshooting ms.reviewer: -manager: dansimp +manager: laurawi appliesto: - HoloLens (1st gen) - HoloLens 2 diff --git a/devices/hololens/hololens-multiple-users.md b/devices/hololens/hololens-multiple-users.md index 4bd8b317ef..d65929d676 100644 --- a/devices/hololens/hololens-multiple-users.md +++ b/devices/hololens/hololens-multiple-users.md @@ -9,7 +9,7 @@ ms.topic: article ms.localizationpriority: medium ms.date: 09/16/2019 ms.reviewer: -manager: dansimp +manager: laurawi appliesto: - HoloLens (1st gen) - HoloLens 2 diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md index 70edc38d5e..5eea91fcbe 100644 --- a/devices/hololens/hololens-provisioning.md +++ b/devices/hololens/hololens-provisioning.md @@ -16,7 +16,7 @@ ms.custom: ms.localizationpriority: medium ms.date: 03/10/2020 ms.reviewer: Teresa-Motiv -manager: dansimp +manager: laurawi appliesto: - HoloLens (1st gen) - HoloLens 2 diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md index 79c2e77dc1..b289b56df1 100644 --- a/devices/hololens/hololens-release-notes.md +++ b/devices/hololens/hololens-release-notes.md @@ -3,7 +3,7 @@ title: HoloLens release notes description: Learn about updates in each new HoloLens release. author: scooley ms.author: scooley -manager: dansimp +manager: laurawi ms.prod: hololens ms.sitesec: library ms.topic: article @@ -26,7 +26,7 @@ appliesto: > [!Note] > HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive). -### Coming Soon +### April Update - build 18362.1059 **Dark mode for supported apps** diff --git a/devices/hololens/hololens2-autopilot.md b/devices/hololens/hololens2-autopilot.md new file mode 100644 index 0000000000..1d2c68e80e --- /dev/null +++ b/devices/hololens/hololens2-autopilot.md @@ -0,0 +1,249 @@ +--- +title: Windows Autopilot for HoloLens 2 evaluation guide +description: +author: Teresa-Motiv +ms.author: v-tea +ms.date: 4/10/2020 +ms.prod: hololens +ms.topic: article +ms.custom: +- CI 116283 +- CSSTroubleshooting +audience: ITPro +ms.localizationpriority: high +keywords: autopilot +manager: jarrettr +appliesto: +- HoloLens 2 +--- + +# Windows Autopilot for HoloLens 2 evaluation guide + +When you set up HoloLens 2 devices for the Windows Autopilot program, your users can follow a simple process to provision the devices from the cloud. + +This Autopilot program supports Autopilot self-deploying mode to provision HoloLens 2 devices as shared devices under your tenant. Self-deploying mode leverages the device's preinstalled OEM image and drivers during the provisioning process. A user can provision the device without putting the device on and going through the Out-of-the-box Experience (OOBE). + +![The Autopilot self-deploying process configures shared devices in "headless" mode by using a network connection.](./images/hololens-ap-intro.png) + +When a user starts the Autopilot self-deploying process, the process completes the following steps: + +1. Join the device to Azure Active Directory (Azure AD). + > [!NOTE] + > Autopilot for HoloLens does not support Active Directory join or Hybrid Azure AD join. +1. Use Azure AD to enroll the device in Microsoft Intune (or another MDM service). +1. Download the device-targeted policies, certificates, and networking profiles. +1. Provision the device. +1. Present the sign-in screen to the user. + +## Windows Autopilot for HoloLens 2: Get started + +The following steps summarize the process of setting up your environment for the Windows Autopilot for HoloLens 2. The rest of this section provides the details of these steps. + +1. Enroll in the Windows Autopilot for HoloLens 2 program. +1. Make sure that you meet the requirements for Windows Autopilot for HoloLens. +1. Verify that your tenant is flighted (enrolled to participate in the program). +1. Register devices in Windows Autopilot. +1. Create a device group. +1. Create a deployment profile. +1. Verify the ESP configuration. +1. Configure a custom configuration profile for HoloLens devices (known issue). +1. Verify the profile status of the HoloLens devices. + +### 1. Enroll in the Windows Autopilot for HoloLens 2 program + +To participate in the program, you have to use a tenant that is flighted for HoloLens. To do this, go to [Windows Autopilot for HoloLens Private Preview request](https://aka.ms/APHoloLensTAP) or use the following QR code to submit a request. + +![Autopilot QR code](./images/hololens-ap-qrcode.png) + +In this request, provide the following information: + +- Tenant domain +- Tenant ID +- Number of HoloLens 2 devices that are participating in this evaluation +- Number of HoloLens 2 devices that you plan to deploy by using Autopilot self-deploying mode + +### 2. Make sure that you meet the requirements for Windows Autopilot for HoloLens + +For the latest information about how to participate in the program, review [Windows Insider Release Notes](hololens-insider.md#windows-insider-release-notes). + +Review the following sections of the Windows Autopilot requirements article: + +- [Network requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements#networking-requirements) +- [Licensing requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements#licensing-requirements) +- [Configuration requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements#configuration-requirements) + > [!IMPORTANT] + > For information about how to register devices and configure profiles, see [4. Register devices in Windows Autopilot](#4-register-devices-in-windows-autopilot) and [6. Create a deployment profile](#6-create-a-deployment-profile) in this article. These sections provide steps that are specific to HoloLens. + +> [!IMPORTANT] +> Unlike other Windows Autopilot programs, Windows Autopilot for HoloLens 2 has specific operating system requirements. + +Review the "[Requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying#requirements)" section of the Windows Autopilot Self-Deploying mode article. Your environment has to meet these requirements as well as the standard Windows Autopilot requirements. + +> [!NOTE] +> You do not have to review the "Step by step" and "Validation" sections of the article. The procedures later in this article provide corresponding steps that are specific to HoloLens. + +Before you start the OOBE and provisioning process, make sure that the HoloLens devices meet the following requirements: + +- The devices are not already members of Azure AD, and are not enrolled in Intune (or another MDM system). The Autopilot self-deploying process completes these steps. To make sure that all the device-related information is cleaned up, check the **Devices** pages in both Azure AD and Intune. +- Every device can connect to the internet. You can use a wired or wireless connection. +- Every device can connect to a computer by using a USB-C cable, and that computer has the following available: + - Advanced Recovery Companion (ARC) + - The latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version) + +To configure and manage the Autopilot self-deploying mode profiles, make sure that you have access to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com). + +### 3. Verify that your tenant is flighted + +To verify that your tenant is flighted for the Autopilot program after you submit your request, follow these steps: + +1. Sign in to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com). +1. Select **Devices** > **Windows** > **Windows enrollment** > **Windows Autopilot deployment profiles** > **Create profile**. + + ![Create profile dropdown includes a HoloLens item.](./images/hololens-ap-enrollment-profiles.png) + You should see a list that includes **HoloLens**. If this option is not present, use one of the [Feedback](#feedback) options to contact us. + +### 4. Register devices in Windows Autopilot + +To register a HoloLens device in the Windows Autopilot program, you have to obtain the hardware hash of the device (also known as the hardware ID). The device can record its hardware hash in a CSV file during the OOBE process, or later when a device owner starts the diagnostic log collection process (described in the following procedure). Typically, the device owner is the first user to sign in to the device. + +**Retrieve a device hardware hash** + +1. Start the HoloLens 2 device, and make sure that you sign in by using an account that is the device owner. +1. On the device, press the Power and Volume Down buttons at the same time and then release them. The device collects diagnostic logs and the hardware hash, and stores them in a set of .zip files. +1. Use a USB-C cable to connect the device to a computer. +1. On the computer, open File Explorer. Open **This PC\\\<*HoloLens device name*>\\Internal Storage\\Documents**, and locate the AutopilotDiagnostics.zip file. + + > [!NOTE] + > The .zip file may not immediately be available. If the file is not ready yet you may see a HoloLensDiagnostics.temp file in the Documents folder. To update the list of files, refresh the window. + +1. Extract the contents of the AutopilotDiagnostics.zip file. +1. In the extracted files, locate the CSV file that has a file name prefix of "DeviceHash." Copy that file to a drive on the computer where you can access it later. + > [!IMPORTANT] + > The data in the CSV file should use the following header and line format: + > ``` + > Device Serial Number,Windows Product ID,Hardware Hash,Group Tag,Assigned User ,,,, + >``` + +**Register the device in Windows Autopilot** + +1. In Microsoft Endpoint Manager Admin Center, select **Devices** > **Windows** > **Windows enrollment**, and then select **Devices** > **Import** under **Windows Autopilot Deployment Program**. + +1. Under **Add Windows Autopilot devices**, select the DeviceHash CSV file, select **Open**, and then select **Import**. + + ![Use the Import command to import the hardware hash.](./images/hololens-ap-hash-import.png) +1. After the import finishes, select **Devices** > **Windows** > **Windows enrollment** > **Devices** > **Sync**. The process might take a few minutes to complete, depending on how many devices are being synchronized. To see the registered device, select **Refresh**. + + ![Use the Sync and Refresh commands to view the device list.](./images/hololens-ap-devices-sync.png) + +### 5. Create a device group + +1. In Microsoft Endpoint Manager admin center, select **Groups** > **New group**. +1. For **Group type**, select **Security**, and then enter a group name and description. +1. For **Membership type**, select either **Assigned** or **Dynamic Device**. +1. Do one of the following: + + - If you selected **Assigned** for **Membership type** in the previous step, select **Members**, and then add Autopilot devices to the group. Autopilot devices that aren't yet enrolled are listed by using the device serial number as the device name. + - If you selected **Dynamic Devices** for **Membership type** in the previous step, select **Dynamic device members**, and then enter code in **Advanced rule** that resembles the following: + - If you want to create a group that includes all of your Autopilot devices, type: `(device.devicePhysicalIDs -any _ -contains "[ZTDId]")` + - Intune's group tag field maps to the **OrderID** attribute on Azure AD devices. If you want to create a group that includes all of your Autopilot devices that have a specific group tag (the Azure AD device OrderID), you must type: `(device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")` + - If you want to create a group that includes all your Autopilot devices that have a specific Purchase Order ID, type: `(device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")` + + > [!NOTE] + > These rules target attributes that are unique to Autopilot devices. +1. Select **Save**, and then select **Create**. + +### 6. Create a deployment profile + +1. In Microsoft Endpoint Manager admin center, select **Devices** > **Windows** > **Windows enrollment** > **Windows Autopilot deployment profiles** > **Create profile** > **HoloLens**. +1. Enter a profile name and description, and then select **Next**. + + ![Add a profile name and description](./images/hololens-ap-profile-name.png) +1. On the **Out-of-box experience (OOBE)** page, most of the settings are pre-configured to streamline OOBE for this evaluation. Optionally, you can configure the following settings: + + - **Language (Region)**: Select the language for OOBE. We recommend that you select a language from the list of [supported languages for HoloLens 2](hololens2-language-support.md). + - **Automatically configure keyboard**: To make sure that the keyboard matches the selected language, select **Yes**. + - **Apply device name template**: To automatically set the device name during OOBE, select **Yes** and then enter the template phrase and placeholders in **Enter a name** For example, enter a prefix and `%RAND:4%`—a placeholder for a four-digit random number. + > [!NOTE] + > If you use a device name template, the OOBE process restarts the device one additional time after it applies the device name and before it joins the device to Azure AD. This restart enables the new name to take effect. + + ![Configure OOBE settings](./images/hololens-ap-profile-oobe.png) +1. After you configure the settings, select **Next**. +1. On the **Scope tags** page, optionally add the scope tags that you want to apply to this profile. For more information about scope tags, see [Use role-based access control and scope tags for distributed IT](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags.md). When finished, select **Next**. +1. On the **Assignments** page, select **Selected groups** for **Assign to**. +1. Under **SELECTED GROUPS**, select **+ Select groups to include**. +1. In the **Select groups to include** list, select the device group that you created for the Autopilot HoloLens devices, and then select **Next**. + + If you want to exclude any groups, select **Select groups to exclude**, and select the groups that you want to exclude. + + ![Assigning a device group to the profile.](./images/hololens-ap-profile-assign-devicegroup.png) +1. On the **Review + Create** page, review the settings and then select **Create** to create the profile. + + ![Review + create](./images/hololens-ap-profile-summ.png) + +### 7. Verify the ESP configuration + +The Enrollment Status Page (ESP) displays the status of the complete device configuration process that runs when an MDM managed user signs into a device for the first time. Make sure that your ESP configuration resembles the following, and verify that the assignments are correct. + +![ESP configuration](./images/hololens-ap-profile-settings.png) + +### 8. Configure a custom configuration profile for HoloLens devices (known issue) + +1. In [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com), select **Devices** > **Configuration profiles** > **Create profile**. +1. For **Platform**, specify **Windows 10 and later**, and for **Profile**, select **Custom**. +1. Select **Create**. +1. Enter a name for the profile, and then select **Settings** > **Configure**. + + ![Settings for the custom configuration profile.](./images/hololens-ap-profile-settings-oma.png) +1. Select **Add**, and then specify the following information: + + - **Name**: SidecarPath + - **OMA-URI**: ./images/Device/Vendor/MSFT/EnrollmentStatusTracking/DevicePreparation/PolicyProviders/Sidecar/InstallationState + - **Data type**: Integer + - **Value**: 2 +1. Select **OK** two times, and then select **Create** to create the profile. +1. After Intune creates the configuration profile, assign the configuration profile to the device group for the HoloLens devices. + +### 9. Verify the profile status of the HoloLens devices + +1. In Microsoft Endpoint Manager Admin Center, select **Devices** > **Windows** > **Windows enrollment** > **Devices**. +1. Verify that the HoloLens devices are listed, and that their profile status is **Assigned**. + > [!NOTE] + > It may take a few minutes for the profile to be assigned to the device. + + ![Device and profile assignments.](./images/hololens-ap-devices-assignments.png) + +## Windows Autopilot for HoloLens 2 User Experience + +Your HoloLens users can follow these steps to provision HoloLens devices. + +1. Use the USB-C cable to connect the HoloLens device to a computer that has Advanced Recovery Companion (ARC) installed and has the appropriate Windows update downloaded. +1. Use ARC to flash the appropriate version of Windows on to the device. +1. Connect the device to the network, and then restart the device. + > [!IMPORTANT] + > You must connect the device to the network before the Out-of-the-Box-Experience (OOBE) starts. The device determines whether it is provisioning as an Autopilot device while on the first OOBE screen. If the device cannot connect to the network, or if you choose not to provision the device as an Autopilot device, you cannot change to Autopilot provisioning at a later time. Instead, you would have to start this procedure over in order to provision the device as an Autopilot device. + + The device should automatically start OOBE. Do not interact with OOBE. Instead sit, back and relax! Let HoloLens 2 detect network connectivity and allow it complete OOBE automatically. The device may restart during OOBE. The OOBE screens should resemble the following. + + ![OOBE step 1](./images/hololens-ap-uex-1.png) + ![OOBE step 2](./images/hololens-ap-uex-2.png) + ![OOBE step 3](./images/hololens-ap-uex-3.png) + ![OOBE step 4](./images/hololens-ap-uex-4.png) + +At the end of OOBE, you can sign in to the device by using your user name and password. + + ![OOBE step 5](./images/hololens-ap-uex-5.png) + +## Known Issues + +- The list of supported languages for Autopilot deployment profiles includes languages that HoloLens does not support. Select a language that [HoloLens supports](hololens2-language-support.md). + +## Feedback + +To provide feedback or report issues, use one of the following methods: + +- Use the Feedback Hub app. You can find this app on a HoloLens-connected computer. In Feedback Hub, select the **Enterprise Management** > **Device** category. + + When you provide feedback or report an issue, provide a detailed description. If applicable, include screenshots and logs. +- Send an email message to [hlappreview@microsoft.com](mailto:hlappreview@microsoft.com). For the email subject, enter **\<*Tenant*> Autopilot for HoloLens 2 evaluation feedback** (where \<*Tenant*> is the name of your Intune tenant). + + Provide a detailed description in your message. However, unless Support personnel specifically request it, do not include data such as screenshots or logs. Such data might include private or personally identifiable information (PII). diff --git a/devices/hololens/images/hololens-ap-devices-assignments.png b/devices/hololens/images/hololens-ap-devices-assignments.png new file mode 100644 index 0000000000..f99eaa367d Binary files /dev/null and b/devices/hololens/images/hololens-ap-devices-assignments.png differ diff --git a/devices/hololens/images/hololens-ap-devices-sync.png b/devices/hololens/images/hololens-ap-devices-sync.png new file mode 100644 index 0000000000..fe970f7983 Binary files /dev/null and b/devices/hololens/images/hololens-ap-devices-sync.png differ diff --git a/devices/hololens/images/hololens-ap-enrollment-profiles.png b/devices/hololens/images/hololens-ap-enrollment-profiles.png new file mode 100644 index 0000000000..1e3e8dfaa4 Binary files /dev/null and b/devices/hololens/images/hololens-ap-enrollment-profiles.png differ diff --git a/devices/hololens/images/hololens-ap-hash-import.png b/devices/hololens/images/hololens-ap-hash-import.png new file mode 100644 index 0000000000..078e73d78c Binary files /dev/null and b/devices/hololens/images/hololens-ap-hash-import.png differ diff --git a/devices/hololens/images/hololens-ap-intro.png b/devices/hololens/images/hololens-ap-intro.png new file mode 100644 index 0000000000..8095114167 Binary files /dev/null and b/devices/hololens/images/hololens-ap-intro.png differ diff --git a/devices/hololens/images/hololens-ap-profile-assign-devicegroup.png b/devices/hololens/images/hololens-ap-profile-assign-devicegroup.png new file mode 100644 index 0000000000..9e6dc92a3c Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-assign-devicegroup.png differ diff --git a/devices/hololens/images/hololens-ap-profile-name.png b/devices/hololens/images/hololens-ap-profile-name.png new file mode 100644 index 0000000000..a427b437b8 Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-name.png differ diff --git a/devices/hololens/images/hololens-ap-profile-oobe.png b/devices/hololens/images/hololens-ap-profile-oobe.png new file mode 100644 index 0000000000..e14226d7ad Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-oobe.png differ diff --git a/devices/hololens/images/hololens-ap-profile-settings-oma.png b/devices/hololens/images/hololens-ap-profile-settings-oma.png new file mode 100644 index 0000000000..7528f55292 Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-settings-oma.png differ diff --git a/devices/hololens/images/hololens-ap-profile-settings.png b/devices/hololens/images/hololens-ap-profile-settings.png new file mode 100644 index 0000000000..5753814e1b Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-settings.png differ diff --git a/devices/hololens/images/hololens-ap-profile-summ.png b/devices/hololens/images/hololens-ap-profile-summ.png new file mode 100644 index 0000000000..4fb955bbdf Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-summ.png differ diff --git a/devices/hololens/images/hololens-ap-qrcode.png b/devices/hololens/images/hololens-ap-qrcode.png new file mode 100644 index 0000000000..c5296e3e91 Binary files /dev/null and b/devices/hololens/images/hololens-ap-qrcode.png differ diff --git a/devices/hololens/images/hololens-ap-uex-1.png b/devices/hololens/images/hololens-ap-uex-1.png new file mode 100644 index 0000000000..f89faa366a Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-1.png differ diff --git a/devices/hololens/images/hololens-ap-uex-2.png b/devices/hololens/images/hololens-ap-uex-2.png new file mode 100644 index 0000000000..5bf1beb3f0 Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-2.png differ diff --git a/devices/hololens/images/hololens-ap-uex-3.png b/devices/hololens/images/hololens-ap-uex-3.png new file mode 100644 index 0000000000..59a7362269 Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-3.png differ diff --git a/devices/hololens/images/hololens-ap-uex-4.png b/devices/hololens/images/hololens-ap-uex-4.png new file mode 100644 index 0000000000..f17557b5c4 Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-4.png differ diff --git a/devices/hololens/images/hololens-ap-uex-5.png b/devices/hololens/images/hololens-ap-uex-5.png new file mode 100644 index 0000000000..0bd23da48e Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-5.png differ diff --git a/devices/hololens/scep-whitepaper.md b/devices/hololens/scep-whitepaper.md deleted file mode 100644 index ee0915b54b..0000000000 --- a/devices/hololens/scep-whitepaper.md +++ /dev/null @@ -1,80 +0,0 @@ ---- -title: SCEP Whitepaper -description: A whitepaper that describes how Microsoft mitigates the vulnerabilities of SCEP. -ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b -author: pawinfie -ms.author: pawinfie -ms.date: 02/12/2020 -keywords: hololens, Windows Mixed Reality, security -ms.prod: hololens -ms.sitesec: library -ms.topic: article -audience: ITPro -ms.localizationpriority: high -ms.custom: -- CI 111456 -- CSSTroubleshooting -appliesto: -- HoloLens 1 (1st gen) -- HoloLens 2 ---- - -# SCEP whitepaper - -## High Level - -### How the SCEP Challenge PW is secured - -We work around the weakness of the SCEP protocol by generating custom challenges in Intune itself. The challenge string we create is signed/encrypted, and contains the information we've configured in Intune for certificate issuance into the challenge blob. This means the blob used as the challenge string contains the expected CSR information like the Subject Name, Subject Alternative Name, and other attributes. - -We then pass that to the device and then the device generates it's CSR and passes it, and the blob to the SCEP URL it received in the MDM profile. On NDES servers running the Intune SCEP module we perform a custom challenge validation that validates the signature on the blob, decrypts the challenge blob itself, compare it to the CSR received, and then determine if we should issue the cert. If any portion of this check fails then the certificate request is rejected. - -## Behind the scenes - -### Intune Connector has a number of responsibilities - -1. The connector is SCEP policy module which contains a "Certification Registration Point" component which interacts with the Intune service, and is responsible for validating, and securing the SCEP request coming into the NDES server. - -1. The connector will install an App Pool on the NDES IIS server > Microsoft Intune CRP service Pool, and a CertificateRegistrationSvc under the "Default Web Site" on IIS. - -1. **When the Intune NDES connector is first configured/setup on the NDES server, a certificate is issued from the Intune cloud service to the NDES server. This cert is used to securely communicate with the Intune cloud service - customer tenant. The cert is unique to the customers NDES server. Can be viewed in Certlm.msc issued by SC_Online_Issuing. This certs Public key is used by Intune in the cloud to encrypt the challenge blob. In addition, when the connector is configured, Intune's public key is sent to the NDES server.** - >[!NOTE] - >The connector communication with Intune is strictly outbound traffic. - -1. The Intune cloud service combined with the Intune connector/policy module addresses the SCEP protocol challenge password weakness (in the SCEP protocol) by generating a custom challenge. The challenge is generated in Intune itself. - - 1. In the challenge blob, Intune puts information that we expect in the cert request (CSR - Certificate Signing Request) coming from a mobile device like the following: what we expect the Subject and SAN (validated against AAD attributes/properties of the user/device) to be, and specifics contained in the Intune SCEP profile that is created by an Intune admin, i.e., Request Handling, EKU, Renewal, validity period, key size, renewal period. - >[!NOTE] - >The Challenge blob is Encrypted with the Connectors Public Key, and Signed with Intune's (cloud service) Private Key. The device cannot decrypt the challenge - - 1. When an Intune admin creates a SCEP profile in their tenant, Intune will send the SCEP profile payload along with the Encrypted and Signed Challenge to the targeted device. The device generates a CSR, and reaches out to NDES URL (contained in the SCEP profile). The device cert request payload contains the CSR, and the encrypted, signed challenge blob. - - 1. When the device reaches out to the NDES server (via the NDES/SCEP URL provided in the SCEP Profile payload), the SCEP cert request validation is performed by the policy module running on the NDES server. The challenge signature is verified using Intune's public key (which is on the NDES server, when the connector was installed and configured) and decrypted using the connectors private key. The policy module compares the CSR details against the decrypted challenge and determines if a cert should be issued. If the CSR passes validation, the NDES server requests a certificate from the CA on behalf of the user/device. - >[!NOTE] - >The above process takes place on the NDES server running the Policy Module. No interaction with the Intune cloud service takes place. - - 1. The NDES connector notification/reporting of cert delivery takes place after NDES sends the issued cert to the device. This is performed as a separate operation outside the cert request flow. Meaning that once NDES sends the cert to the device via the AAD app proxy (or other publishing firewall/proxy, a log is written with the cert delivery details on the NDES server by the connector (file location \Program Files\Microsoft Intune\CertificateRequestStatus\Succeed\ folder. The connector will look here, and send updates to Intune. - - 1. The mobile device must be enrolled in Intune. If not, we reject the request as well - - 1. The Intune connector disables the standard NDES challenge password request URL on the NDES server. - - 1. The NDES server SCEP URI in most customer deployments is made available to the internet via Azure App Proxy, or an on-prem reverse proxy, i.e. F5. - >[!NOTE] - >The Azure App Proxy is an outbound-only connection over Port 443, from the customers onprem network where the App Proxy connector is running on a server. The AAD app proxy can also be hosted on the NDES server. No inbound ports required when using Azure App Proxy. - - 1. The mobile device talks only to the NDES URI - - 1. Side note: AAD app proxy's role is to make onprem resources (like NDES and other customer onprem web services) securely available to the internet. - - 1. The Intune connector must communicate with the Intune cloud service. The connector communication will not go through the Azure App Proxy. The connector will talk with the Intune cloud service via whatever mechanism a customer has onprem to allow outbound traffic to the internet, i.e. Internal proxy service. - >[!NOTE] - > if a proxy is used by the customer, no SSL packet inspection can take place for the NDES/Connector server going out. - -1. Connector traffic with Intune cloud service consists of the following operations: - - 1. 1st time configuration of the connector: Authentication to AAD during the initial connector setup. - - 1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe – full or partial, also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors' SC_Online_Issuing certificate from Intune. Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won't be any requests to process. We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet. - -1. [Here](https://docs.microsoft.com/intune/intune-endpoints#microsoft-intune-certificate-connector) is a reference for Intune NDES connector network communications. diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md index 031501c2b4..8237e61a08 100644 --- a/devices/surface-hub/accessibility-surface-hub.md +++ b/devices/surface-hub/accessibility-surface-hub.md @@ -3,7 +3,7 @@ title: Accessibility (Surface Hub) description: Accessibility settings for the Microsoft Surface Hub can be changed by using the Settings app. You'll find them under Ease of Access. Your Surface Hub has the same accessibility options as Windows 10. ms.assetid: 1D44723B-1162-4DF6-99A2-8A3F24443442 ms.reviewer: -manager: dansimp +manager: laurawi keywords: Accessibility settings, Settings app, Ease of Access ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md index 8125113887..81c03b484c 100644 --- a/devices/surface-hub/admin-group-management-for-surface-hub.md +++ b/devices/surface-hub/admin-group-management-for-surface-hub.md @@ -3,7 +3,7 @@ title: Admin group management (Surface Hub) description: Every Microsoft Surface Hub can be configured individually by opening the Settings app on the device. ms.assetid: FA67209E-B355-4333-B903-482C4A3BDCCE ms.reviewer: -manager: dansimp +manager: laurawi keywords: admin group management, Settings app, configure Surface Hub ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md index 7b44ff3d38..f74f2297fa 100644 --- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -3,7 +3,7 @@ title: PowerShell for Surface Hub (Surface Hub) description: PowerShell scripts to help set up and manage your Microsoft Surface Hub. ms.assetid: 3EF48F63-8E4C-4D74-ACD5-461F1C653784 ms.reviewer: -manager: dansimp +manager: laurawi keywords: PowerShell, set up Surface Hub, manage Surface Hub ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md index 7ea2bc584c..66dd43f75c 100644 --- a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md @@ -3,7 +3,7 @@ title: Applying ActiveSync policies to device accounts (Surface Hub) description: The Microsoft Surface Hub's device account uses ActiveSync to sync mail and calendar. This allows people to join and start scheduled meetings from the Surface Hub, and allows them to email any whiteboards they have made during their meeting. ms.assetid: FAABBA74-3088-4275-B58E-EC1070F4D110 ms.reviewer: -manager: dansimp +manager: laurawi keywords: Surface Hub, ActiveSync policies ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index 2d55222b1b..77ce204725 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -1,7 +1,7 @@ --- title: Change history for Surface Hub ms.reviewer: -manager: dansimp +manager: laurawi description: This topic lists new and updated topics for Surface Hub. keywords: change history ms.prod: surface-hub diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md index 142af6e80e..d20e57a184 100644 --- a/devices/surface-hub/change-surface-hub-device-account.md +++ b/devices/surface-hub/change-surface-hub-device-account.md @@ -3,7 +3,7 @@ title: Change the Microsoft Surface Hub device account description: You can change the device account in Settings to either add an account if one was not already provisioned, or to change any properties of an account that was already provisioned. ms.assetid: AFC43043-3319-44BC-9310-29B1F375E672 ms.reviewer: -manager: dansimp +manager: laurawi keywords: change device account, change properties, Surface Hub ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md index 5fd13d7b95..d5f39c55db 100644 --- a/devices/surface-hub/connect-and-display-with-surface-hub.md +++ b/devices/surface-hub/connect-and-display-with-surface-hub.md @@ -3,7 +3,7 @@ title: Connect other devices and display with Surface Hub description: You can connect other device to your Surface Hub to display content. ms.assetid: 8BB80FA3-D364-4A90-B72B-65F0F0FC1F0D ms.reviewer: -manager: dansimp +manager: laurawi ms.prod: surface-hub ms.sitesec: library author: dansimp diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index ff76987746..29f9557045 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -3,7 +3,7 @@ title: Create a device account using UI (Surface Hub) description: If you prefer to use a graphical user interface, you can create a device account for your Microsoft Surface Hub with either the Office 365 UI or the Exchange Admin Center. ms.assetid: D11BCDC4-DABA-4B9A-9ECB-58E02CC8218C ms.reviewer: -manager: dansimp +manager: laurawi keywords: create device account, Office 365 UI, Exchange Admin center, Microsoft 365 admin center, Skype for Business, mobile device mailbox policy ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md index dc72c7463a..8985f70c9d 100644 --- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md +++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md @@ -3,7 +3,7 @@ title: Create and test a device account (Surface Hub) description: This topic introduces how to create and test the device account that Microsoft Surface Hub uses to communicate with Microsoft Exchange and Skype. ms.assetid: C8605B5F-2178-4C3A-B4E0-CE32C70ECF67 ms.reviewer: rikot -manager: dansimp +manager: laurawi keywords: create and test device account, device account, Surface Hub and Microsoft Exchange, Surface Hub and Skype ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md index d8d0269900..8eb3486d7d 100644 --- a/devices/surface-hub/device-reset-surface-hub.md +++ b/devices/surface-hub/device-reset-surface-hub.md @@ -3,7 +3,7 @@ title: Reset or recover a Surface Hub description: Describes the reset and recovery processes for the Surface Hub, and provides instructions. ms.assetid: 44E82EEE-1905-464B-A758-C2A1463909FF ms.reviewer: -manager: dansimp +manager: laurawi keywords: reset Surface Hub, recover ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md index 73a50f66c9..9309e9b2a3 100644 --- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md +++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.topic: article ms.date: 06/20/2019 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/enable-8021x-wired-authentication.md b/devices/surface-hub/enable-8021x-wired-authentication.md index bf91e2e42c..8ac2baccb6 100644 --- a/devices/surface-hub/enable-8021x-wired-authentication.md +++ b/devices/surface-hub/enable-8021x-wired-authentication.md @@ -8,7 +8,7 @@ ms.author: dansimp ms.topic: article ms.date: 11/15/2017 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md index b6fca3a49e..9a100d4a60 100644 --- a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md @@ -3,7 +3,7 @@ title: Microsoft Exchange properties (Surface Hub) description: Some Microsoft Exchange properties of the device account must be set to particular values to have the best meeting experience on Microsoft Surface Hub. ms.assetid: 3E84393B-C425-45BF-95A6-D6502BA1BF29 ms.reviewer: -manager: dansimp +manager: laurawi keywords: Microsoft Exchange properties, device account, Surface Hub, Windows PowerShell cmdlet ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/finishing-your-surface-hub-meeting.md b/devices/surface-hub/finishing-your-surface-hub-meeting.md index 8776870779..3e02c9bb0a 100644 --- a/devices/surface-hub/finishing-your-surface-hub-meeting.md +++ b/devices/surface-hub/finishing-your-surface-hub-meeting.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.topic: article ms.date: 07/27/2017 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md index 3d38a356f5..8a3bfc6e91 100644 --- a/devices/surface-hub/first-run-program-surface-hub.md +++ b/devices/surface-hub/first-run-program-surface-hub.md @@ -3,7 +3,7 @@ title: First-run program (Surface Hub) description: The term \ 0034;first run \ 0034; refers to the series of steps you'll go through the first time you power up your Microsoft Surface Hub, and means the same thing as \ 0034;out-of-box experience \ 0034; (OOBE). This section will walk you through the process. ms.assetid: 07C9E84C-1245-4511-B3B3-75939AD57C49 ms.reviewer: -manager: dansimp +manager: laurawi keywords: first run, Surface Hub, out-of-box experience, OOBE ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md index ea543e69f2..73c94f6557 100644 --- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md @@ -3,7 +3,7 @@ title: Hybrid deployment (Surface Hub) description: A hybrid deployment requires special processing to set up a device account for your Microsoft Surface Hub. ms.assetid: 7BFBB7BE-F587-422E-9CE4-C9DDF829E4F1 ms.reviewer: -manager: dansimp +manager: laurawi keywords: hybrid deployment, device account for Surface Hub, Exchange hosted on-prem, Exchange hosted online ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/images/sccm-additional.png b/devices/surface-hub/images/configmgr-additional.png similarity index 100% rename from devices/surface-hub/images/sccm-additional.png rename to devices/surface-hub/images/configmgr-additional.png diff --git a/devices/surface-hub/images/sccm-create.png b/devices/surface-hub/images/configmgr-create.png similarity index 100% rename from devices/surface-hub/images/sccm-create.png rename to devices/surface-hub/images/configmgr-create.png diff --git a/devices/surface-hub/images/sccm-oma-uri.png b/devices/surface-hub/images/configmgr-oma-uri.png similarity index 100% rename from devices/surface-hub/images/sccm-oma-uri.png rename to devices/surface-hub/images/configmgr-oma-uri.png diff --git a/devices/surface-hub/images/sccm-platform.png b/devices/surface-hub/images/configmgr-platform.png similarity index 100% rename from devices/surface-hub/images/sccm-platform.png rename to devices/surface-hub/images/configmgr-platform.png diff --git a/devices/surface-hub/images/sccm-team.png b/devices/surface-hub/images/configmgr-team.png similarity index 100% rename from devices/surface-hub/images/sccm-team.png rename to devices/surface-hub/images/configmgr-team.png diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md index 74505ca6ff..9e1c8767f5 100644 --- a/devices/surface-hub/install-apps-on-surface-hub.md +++ b/devices/surface-hub/install-apps-on-surface-hub.md @@ -3,7 +3,7 @@ title: Install apps on your Microsoft Surface Hub description: Admins can install apps can from either the Microsoft Store or the Microsoft Store for Business. ms.assetid: 3885CB45-D496-4424-8533-C9E3D0EDFD94 ms.reviewer: -manager: dansimp +manager: laurawi keywords: install apps, Microsoft Store, Microsoft Store for Business ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/local-management-surface-hub-settings.md b/devices/surface-hub/local-management-surface-hub-settings.md index 810691dfe8..886e4b79f3 100644 --- a/devices/surface-hub/local-management-surface-hub-settings.md +++ b/devices/surface-hub/local-management-surface-hub-settings.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.topic: article ms.date: 07/08/2019 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index b3a74fc47d..3762de36a4 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -3,7 +3,7 @@ title: Manage settings with an MDM provider (Surface Hub) description: Microsoft Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution. ms.assetid: 18EB8464-6E22-479D-B0C3-21C4ADD168FE ms.reviewer: -manager: dansimp +manager: laurawi keywords: mobile device management, MDM, manage policies ms.prod: surface-hub ms.sitesec: library @@ -18,7 +18,7 @@ ms.localizationpriority: medium Surface Hub and other Windows 10 devices allow IT administrators to manage settings and policies using a mobile device management (MDM) provider. A built-in management component communicates with the management server, so there is no need to install additional clients on the device. For more information, see [Windows 10 mobile device management](https://msdn.microsoft.com/library/windows/hardware/dn914769.aspx). -Surface Hub has been validated with Microsoft’s first-party MDM providers: +Surface Hub has been validated with Microsoft's first-party MDM providers: - Microsoft Intune standalone - On-premises MDM with Microsoft Endpoint Configuration Manager @@ -65,25 +65,25 @@ For more information, see [SurfaceHub configuration service provider](https://ms | Maintenance hours | MaintenanceHoursSimple/Hours/StartTime
MaintenanceHoursSimple/Hours/Duration | Yes | Yes | Yes | | Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes | | Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes | -| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID
MOMAgent/WorkspaceKey | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Friendly name for wireless projection | Properties/FriendlyName | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID
MOMAgent/WorkspaceKey | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager | Yes | +| Friendly name for wireless projection | Properties/FriendlyName | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | | Device account, including password rotation | DeviceAccount/*``*
See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes | -| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set default volume | Properties/DefaultVolume | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set screen timeout | Properties/ScreenTimeout | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set session timeout | Properties/SessionTimeout | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set sleep timeout | Properties/SleepTimeout | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set default volume | Properties/DefaultVolume | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set screen timeout | Properties/ScreenTimeout | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set session timeout | Properties/SessionTimeout | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set sleep timeout | Properties/SleepTimeout | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -97,12 +97,12 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |--------------------|------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
. | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow USB Drives | Keep this enabled to support USB drives on Surface Hub | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
. | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow USB Drives | Keep this enabled to support USB drives on Surface Hub | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -110,15 +110,15 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow Windows Defender SmartScreen | Keep this enabled to turn on Windows Defender SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Prevent ignoring Windows Defender SmartScreen warnings for websites | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Prevent ignoring Windows Defender SmartScreen warnings for files | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow Windows Defender SmartScreen | Keep this enabled to turn on Windows Defender SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Prevent ignoring Windows Defender SmartScreen warnings for websites | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Prevent ignoring Windows Defender SmartScreen warnings for files | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -126,13 +126,13 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |---------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Defer feature updates | See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Configure device to use WSUS | Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Defer feature updates | See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Configure device to use WSUS | Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -140,7 +140,7 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |-------------------|----------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | | Defender status | Use to initiate a Defender scan, force a Security intelligence update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | Yes | Yes | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -150,8 +150,8 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| | Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes | No | Yes | -| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -180,7 +180,7 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |------------------------|--------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -188,7 +188,7 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |-------------------|---------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -196,12 +196,12 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. ### Generate OMA URIs for settings -You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager. +You need to use a setting's OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager. **To generate the OMA URI for any setting in the CSP documentation** 1. In the CSP documentation, identify the root node of the CSP. Generally, this looks like `./Vendor/MSFT/`
@@ -217,15 +217,13 @@ The data type is also stated in the CSP documentation. The most common data type - bool (Boolean) - ## Example: Manage Surface Hub settings with Microsoft Intune You can use Microsoft Intune to manage Surface Hub settings. For custom settings, follow the instructions in [How to configure custom device settings in Microsoft Intune](https://docs.microsoft.com/intune/custom-settings-configure). For **Platform**, select **Windows 10 and later**, and in **Profile type**, select **Device restrictions (Windows 10 Team)**. - -## Example: Manage Surface Hub settings with Microsoft Endpoint Configuration Manager +## Example: Manage Surface Hub settings with Microsoft Endpoint Configuration Manager Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs. > [!NOTE] @@ -238,26 +236,26 @@ Configuration Manager supports managing modern devices that do not require the C 3. On the **General** page of the Create Configuration Item Wizard, specify a name and optional description for the configuration item. 4. Under **Settings for devices managed without the Configuration Manager client**, select **Windows 8.1 and Windows 10**, and then click **Next**. - ![example of UI](images/sccm-create.png) + ![example of UI](images/configmgr-create.png) 5. On the **Supported Platforms** page, expand **Windows 10** and select **All Windows 10 Team and higher**. Unselect the other Windows platforms, and then click **Next**. - ![select platform](images/sccm-platform.png) + ![select platform](images/configmgr-platform.png) 7. On the **Device Settings** page, under **Device settings groups**, select **Windows 10 Team**. 8. On the **Windows 10 Team** page, configure the settings you require. - ![Windows 10 Team](images/sccm-team.png) + ![Windows 10 Team](images/configmgr-team.png) 9. You'll need to create custom settings to manage settings that are not available in the Windows 10 Team page. On the **Device Settings** page, select the check box **Configure additional settings that are not in the default setting groups**. - ![additional settings](images/sccm-additional.png) + ![additional settings](images/configmgr-additional.png) 10. On the **Additional Settings** page, click **Add**. 11. In the **Browse Settings** dialog, click **Create Setting**. 12. In the **Create Setting** dialog, under the **General** tab, specify a name and optional description for the custom setting. 13. Under **Setting type**, select **OMA URI**. 14. Complete the form to create a new setting, and then click **OK**. - ![OMA URI setting](images/sccm-oma-uri.png) + ![OMA URI setting](images/configmgr-oma-uri.png) 15. On the **Browse Settings** dialog, under **Available settings**, select the new setting you created, and then click **Select**. 16. On the **Create Rule** dialog, complete the form to specify a rule for the setting, and then click **OK**. 17. Repeat steps 9 to 15 for each custom setting you want to add to the configuration item. diff --git a/devices/surface-hub/manage-surface-hub-settings.md b/devices/surface-hub/manage-surface-hub-settings.md index a5d76ff156..b217ccee4d 100644 --- a/devices/surface-hub/manage-surface-hub-settings.md +++ b/devices/surface-hub/manage-surface-hub-settings.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.topic: article ms.date: 07/27/2017 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md index 4ad681ff5f..10240a192f 100644 --- a/devices/surface-hub/manage-surface-hub.md +++ b/devices/surface-hub/manage-surface-hub.md @@ -3,7 +3,7 @@ title: Manage Microsoft Surface Hub description: How to manage your Surface Hub after finishing the first-run program. ms.assetid: FDB6182C-1211-4A92-A930-6C106BCD5DC1 ms.reviewer: -manager: dansimp +manager: laurawi keywords: manage Surface Hub ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index 2dc9f71874..9dee3e2a4b 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -3,7 +3,7 @@ title: Manage Windows updates on Surface Hub description: You can manage Windows updates on your Microsoft Surface Hub or Surface Hub 2S by setting the maintenance window, deferring updates, or using Windows Server Update Services (WSUS). ms.assetid: A737BD50-2D36-4DE5-A604-55053D549045 ms.reviewer: -manager: dansimp +manager: laurawi keywords: manage Windows updates, Surface Hub, Windows Server Update Services, WSUS ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/miracast-over-infrastructure.md b/devices/surface-hub/miracast-over-infrastructure.md index 1b09f33999..0e871c1ca4 100644 --- a/devices/surface-hub/miracast-over-infrastructure.md +++ b/devices/surface-hub/miracast-over-infrastructure.md @@ -8,7 +8,7 @@ ms.author: dansimp ms.topic: article ms.date: 06/20/2019 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/miracast-troubleshooting.md b/devices/surface-hub/miracast-troubleshooting.md index eb33f483d6..c4e2ff5b3e 100644 --- a/devices/surface-hub/miracast-troubleshooting.md +++ b/devices/surface-hub/miracast-troubleshooting.md @@ -8,7 +8,7 @@ ms.author: dansimp ms.topic: article ms.date: 06/20/2019 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md index 262c565327..9828a8a268 100644 --- a/devices/surface-hub/monitor-surface-hub.md +++ b/devices/surface-hub/monitor-surface-hub.md @@ -3,7 +3,7 @@ title: Monitor your Microsoft Surface Hub description: Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS). ms.assetid: 1D2ED317-DFD9-423D-B525-B16C2B9D6942 ms.reviewer: -manager: dansimp +manager: laurawi keywords: monitor Surface Hub, Microsoft Operations Management Suite, OMS ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index 88b0653b00..d35f03b804 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -3,7 +3,7 @@ title: On-premises deployment single forest (Surface Hub) description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment. ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6 ms.reviewer: -manager: dansimp +manager: laurawi keywords: single forest deployment, on prem deployment, device account, Surface Hub ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md index f643e4cfe6..170dd03968 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md @@ -8,7 +8,7 @@ author: dansimp ms.author: dansimp ms.date: 08/28/2018 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md index 0cd6fc5219..30f0e34b1f 100644 --- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -3,7 +3,7 @@ title: Online deployment with Office 365 (Surface Hub) description: This topic has instructions for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment. ms.assetid: D325CA68-A03F-43DF-8520-EACF7C3EDEC1 ms.reviewer: -manager: dansimp +manager: laurawi keywords: device account for Surface Hub, online deployment ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md index 22e7e1284c..1ef2fcaa46 100644 --- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md @@ -3,7 +3,7 @@ title: Password management (Surface Hub) description: Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device. ms.assetid: 0FBFB546-05F0-430E-905E-87111046E4B8 ms.reviewer: -manager: dansimp +manager: laurawi keywords: password, password management, password rotation, device account ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md index 6d06a9ac69..aeadcb900a 100644 --- a/devices/surface-hub/physically-install-your-surface-hub-device.md +++ b/devices/surface-hub/physically-install-your-surface-hub-device.md @@ -3,7 +3,7 @@ title: Physically install Microsoft Surface Hub description: The Microsoft Surface Hub Readiness Guide will help make sure that your site is ready for the installation. ms.assetid: C764DBFB-429B-4B29-B4E8-D7F0073BC554 ms.reviewer: -manager: dansimp +manager: laurawi keywords: Surface Hub, readiness guide, installation location, mounting options ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 198dba4f74..69ca8e6c3e 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -3,7 +3,7 @@ title: Prepare your environment for Microsoft Surface Hub description: This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Microsoft Surface Hub. ms.assetid: 336A206C-5893-413E-A270-61BFF3DF7DA9 ms.reviewer: -manager: dansimp +manager: laurawi keywords: prepare environment, features of Surface Hub, create and test device account, check network availability ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/provisioning-packages-for-surface-hub.md b/devices/surface-hub/provisioning-packages-for-surface-hub.md index 607c66829e..305403b9dc 100644 --- a/devices/surface-hub/provisioning-packages-for-surface-hub.md +++ b/devices/surface-hub/provisioning-packages-for-surface-hub.md @@ -3,7 +3,7 @@ title: Create provisioning packages (Surface Hub) description: For Windows 10, settings that use the registry or a configuration service provider (CSP) can be configured using provisioning packages. ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345 ms.reviewer: -manager: dansimp +manager: laurawi keywords: add certificate, provisioning package ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/remote-surface-hub-management.md b/devices/surface-hub/remote-surface-hub-management.md index 7a9acbe0fd..1794a9bcac 100644 --- a/devices/surface-hub/remote-surface-hub-management.md +++ b/devices/surface-hub/remote-surface-hub-management.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.topic: article ms.date: 07/27/2017 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md index 6bbfd1532a..12e59349d6 100644 --- a/devices/surface-hub/save-bitlocker-key-surface-hub.md +++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md @@ -3,7 +3,7 @@ title: Save your BitLocker key (Surface Hub) description: Every Microsoft Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys. ms.assetid: E11E4AB6-B13E-4ACA-BCE1-4EDC9987E4F2 ms.reviewer: -manager: dansimp +manager: laurawi keywords: Surface Hub, BitLocker, Bitlocker recovery keys ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md index 96f42c3df1..08ca875984 100644 --- a/devices/surface-hub/set-up-your-surface-hub.md +++ b/devices/surface-hub/set-up-your-surface-hub.md @@ -3,7 +3,7 @@ title: Set up Microsoft Surface Hub description: Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program. ms.assetid: 4D1722BC-704D-4471-BBBE-D0500B006221 ms.reviewer: -manager: dansimp +manager: laurawi keywords: set up instructions, Surface Hub, setup worksheet, first-run program ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md index 6043d88f1d..e7352a5dbe 100644 --- a/devices/surface-hub/setup-worksheet-surface-hub.md +++ b/devices/surface-hub/setup-worksheet-surface-hub.md @@ -3,7 +3,7 @@ title: Setup worksheet (Surface Hub) description: When you've finished pre-setup and are ready to start first-time setup for your Microsoft Surface Hub, make sure you have all the information listed in this section. ms.assetid: AC6F925B-BADE-48F5-8D53-8B6FFF6EE3EB ms.reviewer: -manager: dansimp +manager: laurawi keywords: Setup worksheet, pre-setup, first-time setup ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/skype-hybrid-voice.md b/devices/surface-hub/skype-hybrid-voice.md index c805fb9005..910f2d0129 100644 --- a/devices/surface-hub/skype-hybrid-voice.md +++ b/devices/surface-hub/skype-hybrid-voice.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.topic: article ms.date: 07/27/2017 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/support-solutions-surface-hub.md b/devices/surface-hub/support-solutions-surface-hub.md index b683f85daf..9de0b753f9 100644 --- a/devices/surface-hub/support-solutions-surface-hub.md +++ b/devices/surface-hub/support-solutions-surface-hub.md @@ -3,7 +3,7 @@ title: Top support solutions for Microsoft Surface Hub description: Find top solutions for common issues using Surface Hub. ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A ms.reviewer: -manager: dansimp +manager: laurawi keywords: Troubleshoot common problems, setup issues ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/surface-hub-authenticator-app.md b/devices/surface-hub/surface-hub-authenticator-app.md index 9ad0606641..80c7dbefd1 100644 --- a/devices/surface-hub/surface-hub-authenticator-app.md +++ b/devices/surface-hub/surface-hub-authenticator-app.md @@ -8,7 +8,7 @@ ms.author: dansimp ms.topic: article ms.date: 08/28/2017 ms.reviewer: -manager: dansimp +manager: laurawi localizationpriority: medium --- diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md index 5e5073588a..79ff342ba9 100644 --- a/devices/surface-hub/surface-hub-downloads.md +++ b/devices/surface-hub/surface-hub-downloads.md @@ -8,7 +8,7 @@ ms.author: dansimp ms.topic: article ms.date: 08/22/2017 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/surface-hub-qos.md b/devices/surface-hub/surface-hub-qos.md index 105a188ae1..aa1b746b8d 100644 --- a/devices/surface-hub/surface-hub-qos.md +++ b/devices/surface-hub/surface-hub-qos.md @@ -1,7 +1,7 @@ --- title: Implement Quality of Service on Surface Hub ms.reviewer: -manager: dansimp +manager: laurawi description: Learn how to configure QoS on Surface Hub. ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/surface-hub-recovery-tool.md b/devices/surface-hub/surface-hub-recovery-tool.md index 75feb89fc2..2db5f9706e 100644 --- a/devices/surface-hub/surface-hub-recovery-tool.md +++ b/devices/surface-hub/surface-hub-recovery-tool.md @@ -3,7 +3,7 @@ title: Using the Surface Hub Recovery Tool description: How to use the Surface Hub Recovery Tool to re-image the SSD. ms.assetid: FDB6182C-1211-4A92-A930-6C106BCD5DC1 ms.reviewer: -manager: dansimp +manager: laurawi keywords: manage Surface Hub ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/surface-hub-ssd-replacement.md b/devices/surface-hub/surface-hub-ssd-replacement.md index 7896a7d634..12f256388d 100644 --- a/devices/surface-hub/surface-hub-ssd-replacement.md +++ b/devices/surface-hub/surface-hub-ssd-replacement.md @@ -1,7 +1,7 @@ --- title: Surface Hub SSD replacement ms.reviewer: -manager: dansimp +manager: laurawi description: Learn how to replace the solid state drive in a Surface Hub. ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/surface-hub-technical-55.md b/devices/surface-hub/surface-hub-technical-55.md index 6abc46e411..209e77df4c 100644 --- a/devices/surface-hub/surface-hub-technical-55.md +++ b/devices/surface-hub/surface-hub-technical-55.md @@ -1,7 +1,7 @@ --- title: Technical information for 55" Surface Hub ms.reviewer: -manager: dansimp +manager: laurawi description: Specifications for the 55" Surface Hub ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/surface-hub-technical-84.md b/devices/surface-hub/surface-hub-technical-84.md index 0ba7d45aa1..1c08da5a6b 100644 --- a/devices/surface-hub/surface-hub-technical-84.md +++ b/devices/surface-hub/surface-hub-technical-84.md @@ -1,7 +1,7 @@ --- title: Technical information for 84" Surface Hub ms.reviewer: -manager: dansimp +manager: laurawi description: Specifications for the 84" Surface Hub ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/surface-hub-wifi-direct.md b/devices/surface-hub/surface-hub-wifi-direct.md index 8d94858bfa..fc1ada3230 100644 --- a/devices/surface-hub/surface-hub-wifi-direct.md +++ b/devices/surface-hub/surface-hub-wifi-direct.md @@ -9,7 +9,7 @@ ms.author: dansimp ms.topic: article ms.date: 11/27/2019 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md index 0626c4a0d7..4c324d33ce 100644 --- a/devices/surface-hub/surfacehub-whats-new-1703.md +++ b/devices/surface-hub/surfacehub-whats-new-1703.md @@ -8,7 +8,7 @@ ms.author: dansimp ms.topic: article ms.date: 01/18/2018 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md index cf02da1a6e..4a30281eff 100644 --- a/devices/surface-hub/troubleshoot-surface-hub.md +++ b/devices/surface-hub/troubleshoot-surface-hub.md @@ -3,7 +3,7 @@ title: Troubleshoot Microsoft Surface Hub description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A ms.reviewer: -manager: dansimp +manager: laurawi keywords: Troubleshoot common problems, setup issues, Exchange ActiveSync errors ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md index 33233a023b..cf9f2b6339 100644 --- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md +++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md @@ -7,7 +7,7 @@ ms.author: dansimp ms.topic: article ms.date: 07/27/2017 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md index cbc437e783..1ec1e19ab5 100644 --- a/devices/surface-hub/use-room-control-system-with-surface-hub.md +++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md @@ -3,7 +3,7 @@ title: Using a room control system (Surface Hub) description: Room control systems can be used with your Microsoft Surface Hub. ms.assetid: DC365002-6B35-45C5-A2B8-3E1EB0CB8B50 ms.reviewer: -manager: dansimp +manager: laurawi keywords: room control system, Surface Hub ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md index 416610d656..a1e05d92b5 100644 --- a/devices/surface-hub/whiteboard-collaboration.md +++ b/devices/surface-hub/whiteboard-collaboration.md @@ -8,7 +8,7 @@ ms.author: dansimp ms.topic: article ms.date: 03/18/2019 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium --- diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md index 0a314fe596..96162edafe 100644 --- a/devices/surface-hub/wireless-network-management-for-surface-hub.md +++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md @@ -3,7 +3,7 @@ title: Wireless network management (Surface Hub) description: Microsoft Surface Hub offers two options for network connectivity to your corporate network and Internet wireless, and wired. While both provide network access, we recommend you use a wired connection. ms.assetid: D2CFB90B-FBAA-4532-B658-9AA33CAEA31D ms.reviewer: -manager: dansimp +manager: laurawi keywords: network connectivity, wired connection ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md index 2ab8b6b45b..017f34559f 100644 --- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md +++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md @@ -3,7 +3,7 @@ title: Advanced UEFI security features for Surface Pro 3 (Surface) description: This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices. ms.assetid: 90F790C0-E5FC-4482-AD71-60589E3C9C93 ms.reviewer: -manager: dansimp +manager: laurawi keywords: security, features, configure, hardware, device, custom, script, update ms.localizationpriority: medium ms.prod: w10 diff --git a/devices/surface/assettag.md b/devices/surface/assettag.md index 21d5947ce2..296a57b10e 100644 --- a/devices/surface/assettag.md +++ b/devices/surface/assettag.md @@ -9,7 +9,7 @@ author: coveminer ms.author: v-jokai ms.topic: article ms.reviewer: hachidan -manager: dansimp +manager: laurawi --- # Surface Asset Tag Tool diff --git a/devices/surface/battery-limit.md b/devices/surface/battery-limit.md index 8866b5c37b..c260718254 100644 --- a/devices/surface/battery-limit.md +++ b/devices/surface/battery-limit.md @@ -7,7 +7,7 @@ ms.pagetype: surface, devices ms.sitesec: library author: coveminer ms.reviewer: -manager: dansimp +manager: laurawi ms.author: v-jokai ms.topic: article ms.localizationpriority: medium diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index c3a2ef2f31..35be5e736d 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -1,7 +1,7 @@ --- title: Change history for Surface documentation (Windows 10) ms.reviewer: -manager: dansimp +manager: laurawi description: This topic lists new and updated topics in the Surface documentation library. ms.prod: w10 ms.mktglfcycl: manage diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md index 5aac305c5a..f68989b045 100644 --- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md +++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md @@ -12,7 +12,7 @@ ms.topic: article ms.localizationpriority: medium ms.audience: itpro ms.reviewer: -manager: dansimp +manager: laurawi --- # Considerations for Surface and Microsoft Endpoint Configuration Manager diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md index bd26347d6a..70d53dae71 100644 --- a/devices/surface/customize-the-oobe-for-surface-deployments.md +++ b/devices/surface/customize-the-oobe-for-surface-deployments.md @@ -3,7 +3,7 @@ title: Customize the OOBE for Surface deployments (Surface) description: This article will walk you through the process of customizing the Surface out-of-box experience for end users in your organization. ms.assetid: F6910315-9FA9-4297-8FA8-2C284A4B1D87 ms.reviewer: -manager: dansimp +manager: laurawi keywords: deploy, customize, automate, network, Pen, pair, boot ms.localizationpriority: medium ms.prod: w10 diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md index 4b24dd9589..121be61007 100644 --- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md +++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md @@ -12,7 +12,7 @@ ms.topic: article ms.localizationpriority: medium ms.audience: itpro ms.reviewer: -manager: dansimp +manager: laurawi --- # Deploy Surface app with Microsoft Store for Business and Education diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md index e1debff872..a12b2f2dc4 100644 --- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md +++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md @@ -12,7 +12,7 @@ ms.topic: article ms.localizationpriority: medium ms.audience: itpro ms.reviewer: -manager: dansimp +manager: laurawi --- # Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md index f0b8a6490f..a7220315da 100644 --- a/devices/surface/deploy.md +++ b/devices/surface/deploy.md @@ -7,7 +7,7 @@ ms.pagetype: surface, devices ms.sitesec: library author: coveminer ms.reviewer: -manager: dansimp +manager: laurawi ms.author: v-jokai ms.topic: article ms.localizationpriority: medium diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md index 65453aeaf5..d51a90413e 100644 --- a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md +++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md @@ -3,7 +3,7 @@ title: Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices (Surface) description: Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. ms.assetid: A281EFA3-1552-467D-8A21-EB151E58856D ms.reviewer: -manager: dansimp +manager: laurawi keywords: network, wireless, device, deploy, authentication, protocol ms.localizationpriority: medium ms.prod: w10 diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md index 8e512c1511..0147596761 100644 --- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md +++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md @@ -12,7 +12,7 @@ ms.topic: article ms.localizationpriority: medium ms.audience: itpro ms.reviewer: -manager: dansimp +manager: laurawi --- # Enroll and configure Surface devices with SEMM diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md index 4acda64004..c35dbe0630 100644 --- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md +++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md @@ -3,7 +3,7 @@ title: Ethernet adapters and Surface deployment (Surface) description: This article provides guidance and answers to help you perform a network deployment to Surface devices. ms.assetid: 5273C59E-6039-4E50-96B3-426BB38A64C0 ms.reviewer: -manager: dansimp +manager: laurawi keywords: ethernet, deploy, removable, network, connectivity, boot, firmware, device, adapter, PXE boot, USB ms.localizationpriority: medium ms.prod: w10 diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md index 9d47e34bb2..c250085467 100644 --- a/devices/surface/ltsb-for-surface.md +++ b/devices/surface/ltsb-for-surface.md @@ -9,7 +9,7 @@ author: coveminer ms.author: v-jokai ms.topic: article ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro --- diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md index 3760d85a4d..36197ca93f 100644 --- a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md +++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md @@ -8,7 +8,7 @@ author: coveminer ms.author: v-jokai ms.topic: article ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro ms.date: 10/28/2019 diff --git a/devices/surface/manage-surface-driver-and-firmware-updates.md b/devices/surface/manage-surface-driver-and-firmware-updates.md index 827d2c64c5..75ccff3070 100644 --- a/devices/surface/manage-surface-driver-and-firmware-updates.md +++ b/devices/surface/manage-surface-driver-and-firmware-updates.md @@ -3,7 +3,7 @@ title: Manage and deploy Surface driver and firmware updates description: This article describes the available options to manage and deploy firmware and driver updates for Surface devices. ms.assetid: CD1219BA-8EDE-4BC8-BEEF-99B50C211D73 ms.reviewer: -manager: dansimp +manager: laurawi keywords: Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB ms.localizationpriority: medium ms.prod: w10 diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md index 224cc16744..c5f41821d3 100644 --- a/devices/surface/manage-surface-uefi-settings.md +++ b/devices/surface/manage-surface-uefi-settings.md @@ -11,7 +11,7 @@ author: coveminer ms.author: v-jokai ms.topic: article ms.reviewer: -manager: dansimp +manager: laurawi --- # Manage Surface UEFI settings diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md index 84ef8a1b9f..f0e6c5d221 100644 --- a/devices/surface/microsoft-surface-brightness-control.md +++ b/devices/surface/microsoft-surface-brightness-control.md @@ -9,7 +9,7 @@ author: coveminer ms.author: v-jokai ms.topic: article ms.reviewer: hachidan -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro --- diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index 4ee475b184..0cbf9dac52 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -3,7 +3,7 @@ title: Microsoft Surface Data Eraser (Surface) description: Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. ms.assetid: 8DD3F9FE-5458-4467-BE26-E9200341CF10 ms.reviewer: hachidan -manager: dansimp +manager: laurawi ms.localizationpriority: medium keywords: tool, USB, data, erase ms.prod: w10 diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md index e60688692b..6c25746e2a 100644 --- a/devices/surface/microsoft-surface-deployment-accelerator.md +++ b/devices/surface/microsoft-surface-deployment-accelerator.md @@ -3,7 +3,7 @@ title: Microsoft Surface Deployment Accelerator (Surface) description: Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4 ms.reviewer: hachidan -manager: dansimp +manager: laurawi ms.localizationpriority: medium keywords: deploy, install, tool ms.prod: w10 diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md index 42f641271c..e10b8209c9 100644 --- a/devices/surface/step-by-step-surface-deployment-accelerator.md +++ b/devices/surface/step-by-step-surface-deployment-accelerator.md @@ -3,7 +3,7 @@ title: Step by step Surface Deployment Accelerator (Surface) description: This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices. ms.assetid: A944FB9C-4D81-4868-AFF6-B9D1F5CF1032 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium keywords: deploy, configure ms.prod: w10 diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md index 4fe99f1ebd..a7ef242da7 100644 --- a/devices/surface/support-solutions-surface.md +++ b/devices/surface/support-solutions-surface.md @@ -3,7 +3,7 @@ title: Top support solutions for Surface devices description: Find top solutions for common issues using Surface devices in the enterprise. ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A ms.reviewer: -manager: dansimp +manager: laurawi keywords: Troubleshoot common problems, setup issues ms.prod: w10 ms.mktglfcycl: support diff --git a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md index 15f3dc33f0..044b0e0437 100644 --- a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md +++ b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md @@ -12,7 +12,7 @@ ms.topic: article ms.localizationpriority: medium ms.audience: itpro ms.reviewer: scottmca -manager: dansimp +manager: laurawi --- # Surface device compatibility with Windows 10 Long-Term Servicing Channel (LTSC) diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md index 9c71c1cee4..11a032fb45 100644 --- a/devices/surface/surface-diagnostic-toolkit-business.md +++ b/devices/surface/surface-diagnostic-toolkit-business.md @@ -10,7 +10,7 @@ ms.author: v-jokai ms.topic: article ms.date: 10/31/2019 ms.reviewer: hachidan -manager: dansimp +manager: laurawi ms.audience: itpro --- diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md index 7dca10584e..035eec60da 100644 --- a/devices/surface/surface-diagnostic-toolkit-command-line.md +++ b/devices/surface/surface-diagnostic-toolkit-command-line.md @@ -8,7 +8,7 @@ author: coveminer ms.author: v-jokai ms.topic: article ms.reviewer: hachidan -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro --- diff --git a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md index 8586cb543a..795bff7f7f 100644 --- a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md +++ b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md @@ -8,7 +8,7 @@ author: coveminer ms.author: v-jokai ms.topic: article ms.reviewer: hachidan -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro --- diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md index 7c84f5c0e4..2b19282899 100644 --- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md +++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md @@ -8,7 +8,7 @@ author: coveminer ms.author: v-jokai ms.topic: article ms.reviewer: cottmca -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro --- diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index d748891d49..26264b1509 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -1,5 +1,5 @@ --- -title: Microsoft Surface Dock Firmware Update +title: Microsoft Surface Dock Firmware Update - Technical information for IT administrators description: This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. ms.localizationpriority: medium ms.prod: w10 @@ -9,25 +9,34 @@ author: greg-lindsay ms.author: greglin ms.topic: article ms.reviewer: scottmca -manager: dansimp +manager: laurawi ms.audience: itpro --- -# Microsoft Surface Dock Firmware Update - -This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. - -Microsoft Surface Dock Firmware Update supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. It was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number). The earlier tool is no longer available for download and should not be used. +# Microsoft Surface Dock Firmware Update: Technical information for IT administrators > [!IMPORTANT] ->Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version. +> This article contains technical instructions for IT administrators. If you are a home user, please see [How to update your Surface Dock Firmware](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock) on the Microsoft Support site. The instructions at the support site are the same as the general installation steps below, but this article has additional information for monitoring, verifying, and deploying the update to multiple devices on a network. + +This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. + +This tool supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. The earlier tool was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number) and is no longer available for download and should not be used. + +## Install the Surface Dock Firmware Update + +This section describes how to manually install the firmware update. + +> [!NOTE] +> Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version. + +1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703). + - The update requires a Surface device running Windows 10, version 1803 or later. + - Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update. + +2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted. ## Monitor the Surface Dock Firmware Update -This section is optional and provides an overview of how to monitor installation of the firmware update. When you are ready to install the update, see [Install the Surface Dock Firmware Update](#install-the-surface-dock-firmware-update) below. For more detailed information about monitoring the update process, see the following sections in this article: - - [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update) - - [Event logging](#event-logging) - - [Troubleshooting tips](#troubleshooting-tips) - - [Versions reference](#versions-reference) +This section is optional and provides an overview of how to monitor installation of the firmware update. To monitor the update: @@ -39,7 +48,6 @@ To monitor the update: Reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters" ``` 3. Install the update as described in the [next section](#install-the-surface-dock-firmware-update) of this article. - 4. Event 2007 with the following text indicates a successful update: **Firmware update finished. hr=0 DriverTelementry EventCode = 2007**. - If the update is not successful, then event ID 2007 will be displayed as an **Error** event rather than **Information**. Additionally, the version reported in the Windows Registry will not be current. 5. When the update is complete, updated DWORD values will be displayed in the Windows Registry, corresponding to the current version of the tool. See the [Versions reference](#versions-reference) section in this article for details. For example: @@ -49,15 +57,11 @@ To monitor the update: >[!TIP] >If you see "The description for Event ID xxxx from source SurfaceDockFwUpdate cannot be found" in event text, this is expected and can be ignored. -## Install the Surface Dock Firmware Update - -This section describes how to install the firmware update. - -1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703). - - The update requires a Surface device running Windows 10, version 1803 or later. - - Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update. - -2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted. +Also see the following sections in this article: + - [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update) + - [Event logging](#event-logging) + - [Troubleshooting tips](#troubleshooting-tips) + - [Versions reference](#versions-reference) ## Network deployment diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 493b04c1ae..fc88993c64 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -10,7 +10,7 @@ author: coveminer ms.author: v-jokai ms.topic: article ms.reviewer: scottmca -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro --- diff --git a/devices/surface/surface-manage-dfci-guide.md b/devices/surface/surface-manage-dfci-guide.md index 41a2f2f912..f21805f1a7 100644 --- a/devices/surface/surface-manage-dfci-guide.md +++ b/devices/surface/surface-manage-dfci-guide.md @@ -10,7 +10,7 @@ ms.author: v-jokai ms.topic: article ms.date: 11/13/2019 ms.reviewer: jesko -manager: dansimp +manager: laurawi ms.audience: itpro --- # Intune management of Surface UEFI settings diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md index fb4f9b552d..916c4231bb 100644 --- a/devices/surface/surface-pro-arm-app-management.md +++ b/devices/surface/surface-pro-arm-app-management.md @@ -9,7 +9,7 @@ author: coveminer ms.author: v-jokai ms.topic: article ms.reviewer: jessko -manager: dansimp +manager: laurawi ms.audience: itpro --- # Deploying, managing, and servicing Surface Pro X diff --git a/devices/surface/surface-pro-arm-app-performance.md b/devices/surface/surface-pro-arm-app-performance.md index 0057104b59..4459d6052b 100644 --- a/devices/surface/surface-pro-arm-app-performance.md +++ b/devices/surface/surface-pro-arm-app-performance.md @@ -10,7 +10,7 @@ ms.author: v-jokai ms.topic: article ms.date: 10/03/2019 ms.reviewer: jessko -manager: dansimp +manager: laurawi ms.audience: itpro --- # Surface Pro X app compatibility diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md index 9c7b32f336..c0de20193f 100644 --- a/devices/surface/surface-system-sku-reference.md +++ b/devices/surface/surface-system-sku-reference.md @@ -11,7 +11,7 @@ ms.author: v-jokai ms.topic: article ms.date: 03/09/2020 ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro --- diff --git a/devices/surface/surface-wireless-connect.md b/devices/surface/surface-wireless-connect.md index d30a955dac..24a358065b 100644 --- a/devices/surface/surface-wireless-connect.md +++ b/devices/surface/surface-wireless-connect.md @@ -10,7 +10,7 @@ ms.localizationpriority: medium ms.author: v-jokai ms.topic: article ms.reviewer: tokatz -manager: dansimp +manager: laurawi --- # Optimize Wi-Fi connectivity for Surface devices diff --git a/devices/surface/unenroll-surface-devices-from-semm.md b/devices/surface/unenroll-surface-devices-from-semm.md index 6174474de7..0caea932ab 100644 --- a/devices/surface/unenroll-surface-devices-from-semm.md +++ b/devices/surface/unenroll-surface-devices-from-semm.md @@ -10,7 +10,7 @@ author: coveminer ms.author: v-jokai ms.topic: article ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro --- diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md index bac99f89bc..f483ed4583 100644 --- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md +++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md @@ -12,7 +12,7 @@ ms.topic: article ms.localizationpriority: medium ms.audience: itpro ms.reviewer: -manager: dansimp +manager: laurawi --- # Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index da2a90ea0b..42c6d6f42f 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -10,7 +10,7 @@ author: coveminer ms.author: v-jokai ms.topic: article ms.reviewer: -manager: dansimp +manager: laurawi ms.localizationpriority: medium ms.audience: itpro --- diff --git a/devices/surface/using-the-sda-deployment-share.md b/devices/surface/using-the-sda-deployment-share.md index 40c991f145..0309d071ec 100644 --- a/devices/surface/using-the-sda-deployment-share.md +++ b/devices/surface/using-the-sda-deployment-share.md @@ -12,7 +12,7 @@ ms.topic: article ms.localizationpriority: medium ms.audience: itpro ms.reviewer: -manager: dansimp +manager: laurawi --- # Using the Microsoft Surface Deployment Accelerator deployment share diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md index 37cb7a1d1e..a6686dcf69 100644 --- a/devices/surface/wake-on-lan-for-surface-devices.md +++ b/devices/surface/wake-on-lan-for-surface-devices.md @@ -11,7 +11,7 @@ author: coveminer ms.author: v-jokai ms.topic: article ms.reviewer: scottmca -manager: dansimp +manager: laurawi ms.audience: itpro --- diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md index b008fa625a..0860600d05 100644 --- a/devices/surface/windows-autopilot-and-surface-devices.md +++ b/devices/surface/windows-autopilot-and-surface-devices.md @@ -1,7 +1,7 @@ --- title: Windows Autopilot and Surface devices ms.reviewer: -manager: dansimp +manager: laurawi description: Find out about Windows Autopilot deployment options for Surface devices. keywords: autopilot, windows 10, surface, deployment ms.prod: w10 @@ -48,17 +48,14 @@ Select Surface partners can enroll Surface devices in Windows Autopilot for you Surface partners that are enabled for Windows Autopilot include: -- [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp) -- [Atea](https://www.atea.com/) -- [Bechtle](https://www.bechtle.com/marken/microsoft/microsoft-windows-autopilot) -- [Cancom](https://www.cancom.de/) -- [CDW](https://www.cdw.com/) -- [Computacenter](https://www.computacenter.com/uk) -- [Connection](https://www.connection.com/brand/microsoft/microsoft-surface) -- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html) -- [SHI](https://www.shi.com/Surface) -- [Synnex](https://www.synnexcorp.com/us/microsoft/surface-autopilot/) -- [Techdata](https://www.techdata.com/) +| US partners | Global partners | US distributors | +|--------------|---------------|-------------------| +| * [CDW](https://www.cdw.com/) | * [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp) | * [Synnex](https://www.synnexcorp.com/us/microsoft/surface-autopilot/) | +| * [Connection](https://www.connection.com/brand/microsoft/microsoft-surface) | * [ATEA](https://www.atea.com/) | * [Techdata](https://www.techdata.com/) | +| * [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html) | * [Bechtle](https://www.bechtle.com/marken/microsoft/microsoft-windows-autopilot) | | +| * [SHI](https://www.shi.com/Surface) | * [Cancom](https://www.cancom.de/) | | +| * [LDI Connect](https://www.myldi.com/managed-it/) | * [Computacenter](https://www.computacenter.com/uk) | | +| * [F1](https://www.functiononeit.com/#empower) | | ## Learn more diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index a39eca9e4d..ebab019584 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -51,12 +51,15 @@ The following table lists the SQL Server versions that the App-V Management data |SQL Server version|Service pack|System architecture| |---|---|---| +|Microsoft SQL Server 2019||32-bit or 64-bit| |Microsoft SQL Server 2017||32-bit or 64-bit| |Microsoft SQL Server 2016|SP2|32-bit or 64-bit| |Microsoft SQL Server 2014||32-bit or 64-bit| |Microsoft SQL Server 2012|SP2|32-bit or 64-bit| |Microsoft SQL Server 2008 R2|SP3|32-bit or 64-bit| +For more information on user configuration files with SQL server 2016 or later, see the [support article](https://support.microsoft.com/help/4548751/app-v-server-publishing-might-fail-when-you-apply-user-configuration-f). + ### Publishing server operating system requirements The App-V Publishing server can be installed on a server that runs Windows Server 2008 R2 with SP1 or later. diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 1eb4d1d50b..7f0c586ed7 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -31,64 +31,61 @@ The following tables list the system apps, installed Windows apps, and provision Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running. - ## Provisioned Windows apps -Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 and 1809. +You can list all provisioned Windows apps with this PowerShell command: -> [!TIP] -> You can list all provisioned Windows apps with this PowerShell command: -> ``` -> Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName -> ``` +```Powershell +Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName +``` -
+Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, and 1909. -| Package name | App name | 1709 | 1803 | 1809 | 1909 | Uninstall through UI? | -|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:| -| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | Yes | -| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App | -| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | | x | x | No | -| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | | x | x | No | -| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | | -| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | | x | x | No | -| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No | -| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.VP9VideoExtensions | | | | x | x | No | -| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | | x | x | No | -| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No | -| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No | -| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | | x | x | No | -| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No | +| Package name | App name | 1803 | 1809 | 1903 | 1909 | Uninstall through UI? | +|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:| +| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | Yes | +| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App | +| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | | +| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No | +| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.VP9VideoExtensions | | | x | x | x | No | +| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No | +| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No | +| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No | >[!NOTE] >The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. @@ -97,13 +94,11 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1709, 1803, and 1809. -> [!TIP] -> You can list all system apps with this PowerShell command: -> ``` -> Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation -> ``` +You can list all system apps with this PowerShell command: -
+```Powershell +Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation +``` | Name | Package Name | 1709 | 1803 | 1809 |Uninstall through UI? | |----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------| diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 24d475d6e4..413f6d9c1e 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -9,7 +9,6 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: lomayor -ms.date: 09/05/2017 --- # Azure Active Directory integration with MDM @@ -37,7 +36,8 @@ Windows 10 introduces a new way to configure and deploy corporate owned Windows Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device will not be joined to Azure AD. -> **Important**  Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license. +> [!IMPORTANT] +> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license. ### BYOD scenario @@ -60,7 +60,8 @@ For Azure AD enrollment to work for an Active Directory Federated Services (AD F Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar. -> **Note**  Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. +> [!NOTE] +> Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. ### MDM endpoints involved in Azure AD integrated enrollment @@ -80,7 +81,7 @@ To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use **Terms of Use endpoint** Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user’s consent before the actual enrollment phase begins. -It’s important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g. users in certain geographies may be subject to stricter device management policies). +It’s important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g., users in certain geographies may be subject to stricter device management policies). The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. It’s not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD. @@ -103,7 +104,8 @@ A cloud-based MDM is a SaaS application that provides device management capabili The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661). -> **Note**  For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. +> [!NOTE] +> For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. The keys used by the MDM application to request access tokens from Azure AD are managed within the tenant of the MDM vendor and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, regardless of the customer tenent to which the device being managed belongs. @@ -136,7 +138,7 @@ For more information about how to register a sample application with Azure AD, s An on-premises MDM application is inherently different that a cloud MDM. It is a single-tenant application that is present uniquely within the tenant of the customer. Therefore, customers must add the application directly within their own tenant. Additionally, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD. -The customer experience for adding an on-premises MDM to their tenant is similar to that as the cloud-based MDM. There is an entry in the Azure AD app gallery to add an on-premises MDN to the tenant and administrators can configure the required URLs for enrollment and Terms of Use. +To add an on-premises MDM application to the tenant, there is an entry under the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application**. Administrators can configure the required URLs for enrollment and Terms of Use. Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance. @@ -236,7 +238,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is CXH-HOST (HTTP HEADER) -Senario +Scenario Background Theme WinJS Scenario CSS @@ -343,14 +345,14 @@ The following claims are expected in the access token passed by Windows to the T -> Note There is no device ID claim in the access token because the device may not yet be enrolled at this time. +> [!NOTE] +> There is no device ID claim in the access token because the device may not yet be enrolled at this time. - To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654). Here's an example URL. -``` syntax +```console https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0 Authorization: Bearer eyJ0eXAiOi ``` @@ -390,7 +392,7 @@ If an error was encountered during the terms of use processing, the MDM can retu Here is the URL format: -``` syntax +```console HTTP/1.1 302 Location: ?error=access_denied&error_description=Access%20is%20denied%2E @@ -426,7 +428,7 @@ The following table shows the error codes.

unsupported version

-

Tenant or user data are missingor other required prerequisites for device enrollment are not met

+

Tenant or user data are missing or other required prerequisites for device enrollment are not met

302

unauthorized_client

unauthorized user or tenant

@@ -601,7 +603,7 @@ In this scenario, the MDM enrollment applies to a single user who initially adde **Evaluating Azure AD user tokens** The Azure AD token is in the HTTP Authorization header in the following format: -``` syntax +```console Authorization:Bearer ``` @@ -621,7 +623,7 @@ Access token issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is An alert is sent when the DM session starts and there is an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example: -``` syntax +```xml Alert Type: com.microsoft/MDM/AADUserToken Alert sample: @@ -636,7 +638,7 @@ Alert sample: UserToken inserted here - … other xml tags … + … other XML tags … ``` @@ -665,7 +667,7 @@ Here's an example. user - … other xml tags … + … other XML tags … ``` @@ -682,9 +684,10 @@ For a sample that illustrates how an MDM can obtain an access token using OAuth The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device currently being managed by it. -> **Note**  This is only applicable for approved MDM apps on Windows 10 devices. +> [!NOTE] +> This is only applicable for approved MDM apps on Windows 10 devices. -``` syntax +```console Sample Graph API Request: PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1 @@ -713,7 +716,7 @@ Response: When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. -![aadj unenerollment](images/azure-ad-unenrollment.png) +![aadj unenrollment](images/azure-ad-unenrollment.png) ## Error codes @@ -921,4 +924,3 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di - diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 959f35a071..8053b57d73 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 03/24/2020 +ms.date: 04/07/2020 ms.reviewer: manager: dansimp @@ -149,6 +149,8 @@ where: The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. - In this example, `Group1` and `Group2` are local groups on the device being configured. +> [!Note] +> Currently, the RestrictedGroups/ConfigureGroupMembership policy does not have a MemberOf functionality. However, you can add a local group as a member to another local group by using the member portion, as shown in the above example. diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index a55e6716ff..c5e74893fc 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -1025,6 +1025,7 @@ To validate on Desktop, do the following: [Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] +> * User > * Device
diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 70668fa9de..e7cb92b9c4 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -45,12 +45,16 @@ Setting a null (empty) date will delete the existing schedule. In accordance wit

The supported operations are Get, Add, Replace, and Delete.

+

The supported data type is "String".

+ **Schedule/DailyRecurrent**

This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.
Example to configure: 2018-10-25T18:00:00

The supported operations are Get, Add, Replace, and Delete.

+

The supported data type is "String".

+ ## Related topics diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index 1c13aa99ad..eecc7c7075 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -175,6 +175,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro + diff --git a/windows/configuration/images/sccm-asset.PNG b/windows/configuration/images/configmgr-asset.PNG similarity index 100% rename from windows/configuration/images/sccm-asset.PNG rename to windows/configuration/images/configmgr-asset.PNG diff --git a/windows/configuration/images/sccm-assets.PNG b/windows/configuration/images/configmgr-assets.PNG similarity index 100% rename from windows/configuration/images/sccm-assets.PNG rename to windows/configuration/images/configmgr-assets.PNG diff --git a/windows/configuration/images/sccm-client.PNG b/windows/configuration/images/configmgr-client.PNG similarity index 100% rename from windows/configuration/images/sccm-client.PNG rename to windows/configuration/images/configmgr-client.PNG diff --git a/windows/configuration/images/sccm-collection.PNG b/windows/configuration/images/configmgr-collection.PNG similarity index 100% rename from windows/configuration/images/sccm-collection.PNG rename to windows/configuration/images/configmgr-collection.PNG diff --git a/windows/configuration/images/sccm-install-os.PNG b/windows/configuration/images/configmgr-install-os.PNG similarity index 100% rename from windows/configuration/images/sccm-install-os.PNG rename to windows/configuration/images/configmgr-install-os.PNG diff --git a/windows/configuration/images/sccm-post-refresh.PNG b/windows/configuration/images/configmgr-post-refresh.PNG similarity index 100% rename from windows/configuration/images/sccm-post-refresh.PNG rename to windows/configuration/images/configmgr-post-refresh.PNG diff --git a/windows/configuration/images/sccm-pxe.PNG b/windows/configuration/images/configmgr-pxe.PNG similarity index 100% rename from windows/configuration/images/sccm-pxe.PNG rename to windows/configuration/images/configmgr-pxe.PNG diff --git a/windows/configuration/images/sccm-site.PNG b/windows/configuration/images/configmgr-site.PNG similarity index 100% rename from windows/configuration/images/sccm-site.PNG rename to windows/configuration/images/configmgr-site.PNG diff --git a/windows/configuration/images/sccm-software-cntr.PNG b/windows/configuration/images/configmgr-software-cntr.PNG similarity index 100% rename from windows/configuration/images/sccm-software-cntr.PNG rename to windows/configuration/images/configmgr-software-cntr.PNG diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 2245bcd552..52246fddfd 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -151,7 +151,7 @@ $oulist = Import-csv -Path c:\oulist.txt ForEach($entry in $oulist){ $ouname = $entry.ouname $oupath = $entry.oupath - New-ADOrganizationalUnit -Name $ouname -Path $oupath -WhatIf + New-ADOrganizationalUnit -Name $ouname -Path $oupath Write-Host -ForegroundColor Green "OU $ouname is created in the location $oupath" } ``` diff --git a/windows/deployment/images/sccm-asset.PNG b/windows/deployment/images/configmgr-asset.png similarity index 100% rename from windows/deployment/images/sccm-asset.PNG rename to windows/deployment/images/configmgr-asset.png diff --git a/windows/deployment/images/sccm-assets.PNG b/windows/deployment/images/configmgr-assets.png similarity index 100% rename from windows/deployment/images/sccm-assets.PNG rename to windows/deployment/images/configmgr-assets.png diff --git a/windows/deployment/images/sccm-client.PNG b/windows/deployment/images/configmgr-client.PNG similarity index 100% rename from windows/deployment/images/sccm-client.PNG rename to windows/deployment/images/configmgr-client.PNG diff --git a/windows/deployment/images/sccm-collection.PNG b/windows/deployment/images/configmgr-collection.PNG similarity index 100% rename from windows/deployment/images/sccm-collection.PNG rename to windows/deployment/images/configmgr-collection.PNG diff --git a/windows/deployment/images/sccm-install-os.PNG b/windows/deployment/images/configmgr-install-os.PNG similarity index 100% rename from windows/deployment/images/sccm-install-os.PNG rename to windows/deployment/images/configmgr-install-os.PNG diff --git a/windows/deployment/images/sccm-post-refresh.PNG b/windows/deployment/images/configmgr-post-refresh.PNG similarity index 100% rename from windows/deployment/images/sccm-post-refresh.PNG rename to windows/deployment/images/configmgr-post-refresh.PNG diff --git a/windows/deployment/images/sccm-pxe.PNG b/windows/deployment/images/configmgr-pxe.PNG similarity index 100% rename from windows/deployment/images/sccm-pxe.PNG rename to windows/deployment/images/configmgr-pxe.PNG diff --git a/windows/deployment/images/sccm-site.PNG b/windows/deployment/images/configmgr-site.PNG similarity index 100% rename from windows/deployment/images/sccm-site.PNG rename to windows/deployment/images/configmgr-site.PNG diff --git a/windows/deployment/images/sccm-software-cntr.PNG b/windows/deployment/images/configmgr-software-cntr.PNG similarity index 100% rename from windows/deployment/images/sccm-software-cntr.PNG rename to windows/deployment/images/configmgr-software-cntr.PNG diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md index 5f0a73e50a..1c93c41731 100644 --- a/windows/deployment/planning/windows-10-removed-features.md +++ b/windows/deployment/planning/windows-10-removed-features.md @@ -59,4 +59,4 @@ The following features and functionalities have been removed from the installed |Microsoft Paint | This application will not be available for languages that are not on the [full localization list](https://www.microsoft.com/windows/windows-10-specifications#Windows-10-localization). | 1703 | |NPN support in TLS | This feature is superseded by Application-Layer Protocol Negotiation (ALPN). | 1703 | |Windows Information Protection "AllowUserDecryption" policy | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. | 1703 | -|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP). | 1703 | +|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 | diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index d97bb2897a..2167039e0c 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -19,7 +19,7 @@ ms.topic: article The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more. -You can [**download the script here**](https://github.com/cinglis-msft/UpdateComplianceConfigurationScript). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting. +You can [**download the script here**](https://www.microsoft.com/en-us/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting. ## How the script is organized @@ -41,7 +41,7 @@ When using the script in the context of troubleshooting, use `Pilot`. Enter `Run 2. Configure `commercialIDValue` to your CommercialID. To get your CommercialID, see [Getting your CommercialID](update-compliance-get-started.md#get-your-commercialid). 3. Run the script. The script must be run in System context. 4. Examine the Logs output for any issues. If there were issues: - - Compare Logs output with the required settings covered in [Manually Configuring Devices for Update Compliance] (update-compliance-configuration-manual.md). + - Compare Logs output with the required settings covered in [Manually Configuring Devices for Update Compliance](update-compliance-configuration-manual.md). - Examine the script errors and refer to the [script error reference](#script-error-reference) on how to interpret the codes. - Make the necessary corrections and run the script again. 5. When you no longer have issues, proceed to using the script for more broad deployment with the `Deployment` folder. diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 55408f3c78..255adfa845 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -18,10 +18,9 @@ ms.topic: article # Monitor Windows Updates with Update Compliance > [!IMPORTANT] -> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates: -> -> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance was retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). -> * The Perspectives feature of Update Compliance was retired on March 31, 2020 in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. +> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. A few retirements are planned, noted below, but are placed on hold until the current situation stabilizes. +> * As of March 31, 2020, The Windows Defender Antivirus reporting feature of Update Compliance is no longer supported and will soon be retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). +> * As of March 31, 2020, The Perspectives feature of Update Compliance is no longer supported and will soon be retired in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. ## Introduction @@ -33,7 +32,7 @@ Update Compliance enables organizations to: Update Compliance is offered through the Azure portal, and is included as part of Windows 10 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). -Update Compliance uses Windows 10 and Windows Defender Antivirus diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, Windows Defender Antivirus data, and Delivery Optimization usage data, and then sends this data to a secure cloud to be stored for analysis and usage in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal). +Update Compliance uses Windows 10 diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience. See the following topics in this guide for detailed information about configuring and using the Update Compliance solution: diff --git a/windows/deployment/update/update-compliance-schema-wudostatus.md b/windows/deployment/update/update-compliance-schema-wudostatus.md index 7a9adf27cd..f3d6dc0e2a 100644 --- a/windows/deployment/update/update-compliance-schema-wudostatus.md +++ b/windows/deployment/update/update-compliance-schema-wudostatus.md @@ -36,7 +36,7 @@ These fields are briefly described in this article, to learn more about Delivery |**BytesFromGroupPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`523132` |Total number of bytes downloaded from Group Peers. | |**BytesFromIntPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`328350` |Total number of bytes downloaded from Internet Peers. | |**BytesFromPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`43145` |Total number of bytes downloaded from peers. | -|**ContentDownloadMode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode)**@JAIME** configuration for this content. | +|**ContentDownloadMode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) configuration for this content. | |**ContentType** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`Quality Updates` |The type of content being downloaded. | |**DOStatusDescription** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |A short description of DO's status, if any. | |**DownloadMode** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`HTTP+LAN (1)` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) configuration for this device. | diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index e7d8d21550..de0d1957dc 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -135,7 +135,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection - 4 = DNS Suffix - 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. -When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-4, the policy is ignored. +When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. ### Minimum RAM (inclusive) allowed to use Peer Caching diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index fa6196d4f9..27951497ec 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -1,79 +1,80 @@ ---- -title: Install VAMT (Windows 10) -description: Install VAMT -ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro -author: greg-lindsay -ms.localizationpriority: medium -ms.date: 03/11/2019 -ms.topic: article ---- - -# Install VAMT - -This topic describes how to install the Volume Activation Management Tool (VAMT). - -## Install VAMT - -You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10. - ->[!IMPORTANT] ->VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator.  - ->[!NOTE] ->The VAMT Microsoft Management Console snap-in ships as an x86 package. - -### Requirements - -- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied -- [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) -- [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) -- alternatively any full SQL instance e.g. SQL Server 2014 or newer incl. CU / SP - -### Install SQL Server 2017 Express / alternatively use any Full SQL instance e.g. SQL Server 2014 or newer - -1. Download and open the [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package. -2. Select **Basic**. -3. Accept the license terms. -4. Enter an install location or use the default path, and then select **Install**. -5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. - ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png) - -### Install VAMT using the ADK - -1. Download and open the [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) package. -Reminder: There won't be new ADK release for 1909. -2. Enter an install location or use the default path, and then select **Next**. -3. Select a privacy setting, and then select **Next**. -4. Accept the license terms. -5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.) -6. On the completion page, select **Close**. - -### Configure VAMT to connect to SQL Server 2017 Express or full SQL Server - -1. Open **Volume Active Management Tool 3.1** from the Start menu. -2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL. - - ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png) - -for remote SQL Server use -servername.yourdomain.com - - - -## Uninstall VAMT - -To uninstall VAMT using the **Programs and Features** Control Panel: -1. Open **Control Panel** and select **Programs and Features**. -2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT. - - - - +--- +title: Install VAMT (Windows 10) +description: Install VAMT +ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: activation +audience: itpro +author: greg-lindsay +ms.localizationpriority: medium +ms.date: 03/11/2019 +ms.topic: article +--- + +# Install VAMT + +This topic describes how to install the Volume Activation Management Tool (VAMT). + +## Install VAMT + +You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10. + +>[!IMPORTANT] +>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator.  + +>[!NOTE] +>The VAMT Microsoft Management Console snap-in ships as an x86 package. + +### Requirements + +- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied +- [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) +- Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) version, the latest is recommended +- Alternatively, any supported **full** SQL instance + +### Install SQL Server Express / alternatively use any full SQL instance + +1. Download and open the [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package. +2. Select **Basic**. +3. Accept the license terms. +4. Enter an install location or use the default path, and then select **Install**. +5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. + + ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png) + +### Install VAMT using the ADK + +1. Download and open the [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) package. +Reminder: There won't be new ADK release for 1909. +2. Enter an install location or use the default path, and then select **Next**. +3. Select a privacy setting, and then select **Next**. +4. Accept the license terms. +5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.) +6. On the completion page, select **Close**. + +### Configure VAMT to connect to SQL Server Express or full SQL Server + +1. Open **Volume Active Management Tool 3.1** from the Start menu. +2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL. + + ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png) + +for remote SQL Server use +servername.yourdomain.com + + + +## Uninstall VAMT + +To uninstall VAMT using the **Programs and Features** Control Panel: +1. Open **Control Panel** and select **Programs and Features**. +2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT. + + + + diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 944908ad16..4f273824cb 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -108,11 +108,11 @@ Topics and procedures in this guide are summarized in the following table. An es 5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: ``` - New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow - New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow - New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow - New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow - New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow + New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow + New-NetFirewallRule -DisplayName "SQL Admin Connection" -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow + New-NetFirewallRule -DisplayName "SQL Database Management" -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow + New-NetFirewallRule -DisplayName "SQL Service Broker" -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow + New-NetFirewallRule -DisplayName "SQL Debugger/RPC" -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow ``` 7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components. @@ -123,7 +123,7 @@ Topics and procedures in this guide are summarized in the following table. An es ``` $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 + Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0 Stop-Process -Name Explorer ``` @@ -207,7 +207,7 @@ Topics and procedures in this guide are summarized in the following table. An es 19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: ``` - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 + Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1 Stop-Process -Name Explorer ``` @@ -326,7 +326,7 @@ WDSUTIL /Set-Server /AnswerClients:None See the following example: - Config Mgr PXE + Config Mgr PXE 5. Click **OK**. 6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: @@ -387,7 +387,7 @@ WDSUTIL /Set-Server /AnswerClients:None In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: ``` - STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590) + STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590) ``` 11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. @@ -847,7 +847,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF 6. When a popup dialog box asks if you want to run full discovery, click **Yes**. 7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): - ![assets](images/sccm-assets.png) + ![assets](images/configmgr-assets.png) >If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console. @@ -900,7 +900,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF 14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example: - ![site](images/sccm-site.png) + ![site](images/configmgr-site.png) If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated. @@ -908,7 +908,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF 16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: - ![client](images/sccm-client.png) + ![client](images/configmgr-client.png) >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**. @@ -970,7 +970,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF 11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example: - ![collection](images/sccm-collection.png) + ![collection](images/configmgr-collection.png) ### Create a device collection for PC1 @@ -1018,7 +1018,7 @@ In the Configuration Manager console, in the Software Library workspace under Op 4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example: - ![software](images/sccm-software-cntr.png) + ![software](images/configmgr-software-cntr.png) >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. @@ -1056,17 +1056,17 @@ In the Configuration Manager console, in the Software Library workspace under Op 3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**. 4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example: - ![installOS](images/sccm-install-os.png) + ![installOS](images/configmgr-install-os.png) The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example: - ![asset](images/sccm-asset.png) + ![asset](images/configmgr-asset.png) You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**. When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system. - ![post-refresh](images/sccm-post-refresh.png) + ![post-refresh](images/configmgr-post-refresh.png) diff --git a/windows/deployment/windows-autopilot/autopilot-support.md b/windows/deployment/windows-autopilot/autopilot-support.md index 7fd687321a..762aab67e5 100644 --- a/windows/deployment/windows-autopilot/autopilot-support.md +++ b/windows/deployment/windows-autopilot/autopilot-support.md @@ -10,7 +10,6 @@ ms.pagetype: deploy audience: itpro author: greg-lindsay ms.author: greglin -ms.date: 10/31/2018 ms.reviewer: manager: laurawi ms.collection: M365-modern-desktop @@ -25,19 +24,14 @@ The following table displays support information for the Windows Autopilot progr Before contacting the resources listed below for Windows Autopilot-related issues, check the [Windows Autopilot FAQ](autopilot-faq.md). - -| Audience | Support contact | -|---------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you’re a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. | -| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority:
Low – 120 hours
Normal – 72 hours
High – 24 hours
Immediate – 4 hours | -| Partners with a Partner Technology Strategist (PTS) | If you have a PTS (whether you’re a CSP or not), you may first try working through your account’s specific Partner Technology Strategist (PTS). | -| Partners with an Ecosystem PM | If you have an Ecosystem PM (whether you’re a CSP or not), you may first try working through your account’s specific Ecosystem PM, especially for technical issues. To learn more about Ecosystem PMs and the services they offer, contact epsoinfo@microsoft.com. | -| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. | -| End-user | Contact your IT administrator. | -| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. | -| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB. | -| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). | -| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in: https://support.microsoft.com/en-us. | -| Queries relating to MDA testing | Contact MDAHelp@microsoft.com. | -| All other queries, or when unsure who to contact | Contact msoemops@microsoft.com. | - +| Audience | Support contact | +|------------|---------------------------------------| +| OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you’re a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. | +| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority:
Low – 120 hours
Normal – 72 hours
High – 24 hours
Immediate – 4 hours | +| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. | +| End-user | Contact your IT administrator. | +| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. | +| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB. | +| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). | +| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in: https://support.microsoft.com/en-us. | +| Queries relating to MDA testing | Contact MDAHelp@microsoft.com. | \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md index 162db9fe0e..b85fc9b010 100644 --- a/windows/deployment/windows-autopilot/known-issues.md +++ b/windows/deployment/windows-autopilot/known-issues.md @@ -26,6 +26,9 @@ ms.topic: article + + diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md index 8dc6b27a55..7f7f58c2b8 100644 --- a/windows/security/identity-protection/TOC.md +++ b/windows/security/identity-protection/TOC.md @@ -71,4 +71,5 @@ ### [VPN security features](vpn\vpn-security-features.md) ### [VPN profile options](vpn\vpn-profile-options.md) ### [How to configure Diffie Hellman protocol over IKEv2 VPN connections](vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md) -### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) \ No newline at end of file +### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) +### [Optimizing Office 365 traffic with the Windows 10 VPN client](vpn\vpn-office-365-optimization.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 24172f6859..9369ea8370 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -329,7 +329,7 @@ If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, wri If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **6a** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments do not use the cloud directory. -Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies do. +Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies, such as [MDM automatic enrollment](https://docs.microsoft.com/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) do. If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md new file mode 100644 index 0000000000..66699d9e0b --- /dev/null +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -0,0 +1,676 @@ +--- +title: Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client +description: tbd +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, networking +audience: ITPro +ms.topic: article +author: kelleyvice-msft +ms.localizationpriority: medium +ms.date: 04/07/2020 +ms.reviewer: +manager: dansimp +ms.author: jajo +--- + +# Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client + +This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. + +This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions *even when using force tunneling* in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. + +> [!NOTE] +> The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration). + +## Solution Overview + +The solution is based upon the use of a VPN Configuration Service Provider Reference profile ([VPNv2 CSP](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp)) and the embedded [ProfileXML](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-profile-xsd). These are used to configure the VPN profile on the device. Various provisioning approaches can be used to create and deploy the VPN profile as discussed in the article [Step 6. Configure Windows 10 client Always On VPN connections](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files). + +Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). + +To enable the use of force tunneling in Windows 10 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: + +```xml +ForceTunnel +``` + +In order to define specific force tunnel exclusions, you then need to add the following lines to your existing Profile XML (or script) for each required exclusion, and place them outside of the `` section as follows: + +```xml + +
[IP addresses or subnet]
+ [IP Prefix] + true + +``` + +Entries defined by the `[IP Addresses or Subnet]` and `[IP Prefix]` references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate `` section for each required exclusion. + +An example of a correctly formatted Profile XML configuration for force tunnel with exclusions is shown below: + +```xml + + + ForceTunnel + + +
203.0.113.0
+ 24 + true + + +
198.51.100.0
+ 22 + true + + +``` + +> [!NOTE] +> The IP addresses and prefix size values in this example are used purely as examples only and should not be used. + +## Solution Deployment + +For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunneling. + +This can be achieved manually by adding the IP addresses defined within the *optimize* category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used. + +An example of a PowerShell script that can be used to update a force tunnel VPN connection with Office 365 exclusions is provided below. + +```powershell +# Copyright (c) Microsoft Corporation. All rights reserved. +# +# THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +# WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +# IF THIS CODE AND INFORMATION IS MODIFIED, THE ENTIRE RISK OF USE OR RESULTS IN +# CONNECTION WITH THE USE OF THIS CODE AND INFORMATION REMAINS WITH THE USER. + +<# +.SYNOPSIS + Applies or updates recommended Office 365 optimize IP address exclusions to an existing force tunnel Windows 10 VPN profile +.DESCRIPTION + Connects to the Office 365 worldwide commercial service instance endpoints to obtain the latest published IP address ranges + Compares the optimized IP addresses with those contained in the supplied VPN Profile (PowerShell or XML file) + Adds or updates IP addresses as necessary and saves the resultant file with "-NEW" appended to the file name +.PARAMETERS + Filename and path for a supplied Windows 10 VPN profile file in either PowerShell or XML format +.NOTES + Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later +.VERSION + 1.0 +#> + +param ( + [string]$VPNprofilefile +) + +$usage=@" + +This script uses the following parameters: + +VPNprofilefile - The full path and name of the VPN profile PowerShell script or XML file + +EXAMPLES + +To check a VPN profile PowerShell script file: + +Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF POWERSHELL SCRIPT FILE] + +To check a VPN profile XML file: + +Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF XML FILE] + +"@ + +# Check if filename has been provided # +if ($VPNprofilefile -eq "") +{ + Write-Host "`nWARNING: You must specify either a PowerShell script or XML filename!" -ForegroundColor Red + + $usage + exit +} + +$FileExtension = [System.IO.Path]::GetExtension($VPNprofilefile) + +# Check if XML file exists and is a valid XML file # +if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".xml") +{ + if ( Test-Path $VPNprofilefile ) + { + $xml = New-Object System.Xml.XmlDocument + try + { + $xml.Load((Get-ChildItem -Path $VPNprofilefile).FullName) + + } + catch [System.Xml.XmlException] + { + Write-Verbose "$VPNprofilefile : $($_.toString())" + Write-Host "`nWARNING: The VPN profile XML file is not a valid xml file or incorrectly formatted!" -ForegroundColor Red + $usage + exit + } + }else + { + Write-Host "`nWARNING: VPN profile XML file does not exist or cannot be found!" -ForegroundColor Red + $usage + exit + } +} + +# Check if VPN profile PowerShell script file exists and contains a VPNPROFILE XML section # +if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") +{ + if ( (Test-Path $VPNprofilefile) ) + { + if (-Not $(Select-String -Path $VPNprofilefile -Pattern "") ) + { + Write-Host "`nWARNING: PowerShell script file does not contain a valid VPN profile XML section or is incorrectly formatted!" -ForegroundColor Red + $usage + exit + } + }else + { + Write-Host "`nWARNING: PowerShell script file does not exist or cannot be found!"-ForegroundColor Red + $usage + exit + } +} + +# Define Office 365 endpoints and service URLs # +$ws = "https://endpoints.office.com" +$baseServiceUrl = "https://endpoints.office.com" + +# Path where client ID and latest version number will be stored # +$datapath = $Env:TEMP + "\endpoints_clientid_latestversion.txt" + +# Fetch client ID and version if data file exists; otherwise create new file # +if (Test-Path $datapath) +{ + $content = Get-Content $datapath + $clientRequestId = $content[0] + $lastVersion = $content[1] + +}else +{ + $clientRequestId = [GUID]::NewGuid().Guid + $lastVersion = "0000000000" + @($clientRequestId, $lastVersion) | Out-File $datapath +} + +# Call version method to check the latest version, and pull new data if version number is different # +$version = Invoke-RestMethod -Uri ($ws + "/version?clientRequestId=" + $clientRequestId) + +if ($version[0].latest -gt $lastVersion) +{ + + Write-Host + Write-Host "A new version of Office 365 worldwide commercial service instance endpoints has been detected!" -ForegroundColor Cyan + + # Write the new version number to the data file # + @($clientRequestId, $version[0].latest) | Out-File $datapath +} + +# Invoke endpoints method to get the new data # +$uri = "$baseServiceUrl" + "/endpoints/worldwide?clientRequestId=$clientRequestId" + +# Invoke endpoints method to get the data for the VPN profile comparison # +$endpointSets = Invoke-RestMethod -Uri ($uri) +$Optimize = $endpointSets | Where-Object { $_.category -eq "Optimize" } +$optimizeIpsv4 = $Optimize.ips | Where-Object { ($_).contains(".") } | Sort-Object -Unique + +# Temporarily include additional IP address until Teams client update is released +$optimizeIpsv4 += "13.107.60.1/32" + +# Process PowerShell script file start # +if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") +{ + Write-host "`nStarting PowerShell script exclusion route check...`n" -ForegroundColor Cyan + + # Clear Variables to allow re-run testing # + + $ARRVPN=$null # Array to hold VPN addresses from VPN profile PowerShell file # + $In_Opt_Only=$null # Variable to hold IP addresses that only appear in the optimize list # + $In_VPN_Only=$null # Variable to hold IP addresses that only appear in the VPN profile PowerShell file # + + # Extract the Profile XML from the ps1 file # + + $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' + + # Create xml format variable to compare with the optimize list # + + $xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1' + [xml]$VPNprofilexml=""+$xmlbody+"" + + # Loop through each address found in VPNPROFILE XML section # + foreach ($Route in $VPNprofilexml.VPNProfile.Route) + { + $VPNIP=$Route.Address+"/"+$Route.PrefixSize + [array]$ARRVPN=$ARRVPN+$VPNIP + } + + # In optimize address list only # + $In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_} + + # In VPN list only # + $In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_} + [array]$Inpfile = get-content $VPNprofilefile + + if ($In_Opt_Only.Count -gt 0 ) + { + Write-Host "Exclusion route IP addresses are unknown, missing, or need to be updated in the VPN profile`n" -ForegroundColor Red + + [int32]$insline=0 + + for ($i=0; $i -lt $Inpfile.count; $i++) + { + if ($Inpfile[$i] -match "") + { + $insline += $i # Record the position of the line after the NativeProfile section ends # + } + } + $OFS = "`r`n" + foreach ($NewIP in $In_Opt_Only) + { + # Add the missing IP address(es) # + $IPInfo=$NewIP.Split("/") + $InpFile[$insline] += $OFS+" " + $InpFile[$insline] += $OFS+"
"+$IPInfo[0].Trim()+"
" + $InpFile[$insline] += $OFS+" "+$IPInfo[1].Trim()+"" + $InpFile[$insline] += $OFS+" true" + $InpFile[$insline] += $OFS+" " + } + # Update fileName and write new PowerShell file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.ps1" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $InpFile | Set-Content $OutFile + Write-Host "Exclusion routes have been added to VPN profile and output to a separate PowerShell script file; the original file has not been modified`n" -ForegroundColor Green + }else + { + Write-Host "Exclusion route IP addresses are correct and up to date in the VPN profile`n" -ForegroundColor Green + $OutFile=$VPNprofilefile + } + +if ( $In_VPN_Only.Count -gt 0 ) +{ + Write-Host "Unknown exclusion route IP addresses have been found in the VPN profile`n" -ForegroundColor Yellow + + foreach ($OldIP in $In_VPN_Only) + { + [array]$Inpfile = get-content $Outfile + $IPInfo=$OldIP.Split("/") + Write-Host "Unknown exclusion route IP address"$IPInfo[0]"has been found in the VPN profile - Do you wish to remove it? (Y/N)`n" -ForegroundColor Yellow + $matchstr="
"+$IPInfo[0].Trim()+"
" + $DelAns=Read-host + if ($DelAns.ToUpper() -eq "Y") + { + [int32]$insline=0 + for ($i=0; $i -lt $Inpfile.count; $i++) + { + if ($Inpfile[$i] -match $matchstr) + { + $insline += $i # Record the position of the line for the string match # + } + } + # Remove entries from XML # + $InpFile[$insline-1]="REMOVETHISLINE" + $InpFile[$insline]="REMOVETHISLINE" + $InpFile[$insline+1]="REMOVETHISLINE" + $InpFile[$insline+2]="REMOVETHISLINE" + $InpFile[$insline+3]="REMOVETHISLINE" + $InpFile=$InpFile | Where-Object {$_ -ne "REMOVETHISLINE"} + + # Update filename and write new PowerShell file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $Inpfile | Set-content $OutFile + Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate PowerShell script file; the original file has not been modified`n" -ForegroundColor Green + + }else + { + Write-Host "`nExclusion route IP address has *NOT* been removed from the VPN profile`n" -ForegroundColor Green + } + } + } +} + +# Process XML file start # +if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml") +{ + Write-host "`nStarting XML file exclusion route check...`n" -ForegroundColor Cyan + + # Clear variables to allow re-run testing # + $ARRVPN=$null # Array to hold VPN addresses from the XML file # + $In_Opt_Only=$null # Variable to hold IP Addresses that only appear in optimize list # + $In_VPN_Only=$null # Variable to hold IP Addresses that only appear in the VPN profile XML file # + + # Extract the Profile XML from the XML file # + $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' + + # Create xml format variable to compare with optimize list # + $xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1' + [xml]$VPNRulesxml="$xmlbody" + + # Loop through each address found in VPNPROFILE file # + foreach ($Route in $VPNRulesxml.VPNProfile.Route) + { + $VPNIP=$Route.Address+"/"+$Route.PrefixSize + [array]$ARRVPN=$ARRVPN+$VPNIP + } + + # In optimize address list only # + $In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_} + + # In VPN list only # + $In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_} + [array]$Inpfile = get-content $VPNprofilefile + + if ($In_Opt_Only.Count -gt 0 ) + { + Write-Host "Exclusion route IP addresses are unknown, missing, or need to be updated in the VPN profile`n" -ForegroundColor Red + + foreach ($NewIP in $In_Opt_Only) + { + # Add the missing IP address(es) # + $IPInfo=$NewIP.Split("/") + $inspoint = $Inpfile[0].IndexOf(""+$IPInfo[0].Trim()+""+""+$IPInfo[1].Trim()+""+"true"+"" + } + $Inpfile = $Inpfile[0].Insert($inspoint,$routes) + + # Update filename and write new XML file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $InpFile | Set-Content $OutFile + Write-Host "Exclusion routes have been added to VPN profile and output to a separate XML file; the original file has not been modified`n`n" -ForegroundColor Green + + }else + { + Write-Host "Exclusion route IP addresses are correct and up to date in the VPN profile`n" -ForegroundColor Green + $OutFile=$VPNprofilefile + } + + if ( $In_VPN_Only.Count -gt 0 ) + { + Write-Host "Unknown exclusion route IP addresses found in the VPN profile`n" -ForegroundColor Yellow + + foreach ($OldIP in $In_VPN_Only) + { + [array]$Inpfile = get-content $OutFile + $IPInfo=$OldIP.Split("/") + Write-Host "Unknown exclusion route IP address"$IPInfo[0]"has been found in the VPN profile - Do you wish to remove it? (Y/N)`n" -ForegroundColor Yellow + $matchstr=""+"
"+$IPInfo[0].Trim()+"
"+""+$IPInfo[1].Trim()+""+"true"+"" + $DelAns=Read-host + if ($DelAns.ToUpper() -eq "Y") + { + # Remove unknown IP address(es) # + $inspoint = $Inpfile[0].IndexOf($matchstr) + $Inpfile[0] = $Inpfile[0].Replace($matchstr,"") + + # Update filename and write new XML file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $Inpfile | Set-content $OutFile + Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate XML file; the original file has not been modified`n" -ForegroundColor Green + + }else + { + Write-Host "`nExclusion route IP address has *NOT* been removed from the VPN profile`n" -ForegroundColor Green + } + } + } +} +``` + +## Version Support + +This solution is supported with the following versions of Windows: + +- Windows 10 1903/1909 and newer: Included, no action needed +- Windows 10 1809: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481) +- Windows 10 1803: At least [KB4493437](https://support.microsoft.com/help/4493437/windows-10-update-kb4493437) +- Windows 10 1709 and lower: Exclusion routes are not supported + +- Windows 10 Enterprise 2019 LTSC: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481) +- Windows 10 Enterprise 2016 LTSC: Exclusion routes are not supported +- Windows 10 Enterprise 2015 LTSC: Exclusion routes are not supported + +Microsoft strongly recommends that the latest available Windows 10 cumulative update always be applied. + +## Other Considerations + +You should also be able to adapt this approach to include necessary exclusions for other cloud-services that can be defined by known/static IP addresses; exclusions required for [Cisco WebEx](https://help.webex.com/WBX000028782/Network-Requirements-for-Webex-Teams-Services) or [Zoom](https://support.zoom.us/hc/en-us/articles/201362683) are good examples. + +## Examples + +An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial PowerShell script: + +```powershell +# Copyright (c) Microsoft Corporation. All rights reserved. +# +# THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +# WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +# IF THIS CODE AND INFORMATION IS MODIFIED, THE ENTIRE RISK OF USE OR RESULTS IN +# CONNECTION WITH THE USE OF THIS CODE AND INFORMATION REMAINS WITH THE USER. + +<# +.SYNOPSIS + Configures an AlwaysOn IKEv2 VPN Connection using a basic script +.DESCRIPTION + Configures an AlwaysOn IKEv2 VPN Connection with proxy PAC information and force tunneling +.PARAMETERS + Parameters are defined in a ProfileXML object within the script itself +.NOTES + Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later +.VERSION + 1.0 +#> + +<#-- Define Key VPN Profile Parameters --#> +$ProfileName = 'Contoso VPN with Office 365 Exclusions' +$ProfileNameEscaped = $ProfileName -replace ' ', '%20' + +<#-- Define VPN ProfileXML --#> +$ProfileXML = ' + true + corp.contoso.com + true + corp.contoso.com + + edge1.contoso.com + ForceTunnel + IKEv2 + + Certificate + + + +
13.107.6.152
+ 31 + true + + +
13.107.18.10
+ 31 + true + + +
13.107.128.0
+ 22 + true + + +
23.103.160.0
+ 20 + true + + +
40.96.0.0
+ 13 + true + + +
40.104.0.0
+ 15 + true + + +
52.96.0.0
+ 14 + true + + +
131.253.33.215
+ 32 + true + + +
132.245.0.0
+ 16 + true + + +
150.171.32.0
+ 22 + true + + +
191.234.140.0
+ 22 + true + + +
204.79.197.215
+ 32 + true + + +
13.107.136.0
+ 22 + true + + +
40.108.128.0
+ 17 + true + + +
52.104.0.0
+ 14 + true + + +
104.146.128.0
+ 17 + true + + +
150.171.40.0
+ 22 + true + + +
13.107.60.1
+ 32 + true + + +
13.107.64.0
+ 18 + true + + +
52.112.0.0
+ 14 + true + + +
52.120.0.0
+ 14 + true + + + http://webproxy.corp.contoso.com/proxy.pac + +' + +<#-- Convert ProfileXML to Escaped Format --#> +$ProfileXML = $ProfileXML -replace '<', '<' +$ProfileXML = $ProfileXML -replace '>', '>' +$ProfileXML = $ProfileXML -replace '"', '"' + +<#-- Define WMI-to-CSP Bridge Properties --#> +$nodeCSPURI = './Vendor/MSFT/VPNv2' +$namespaceName = "root\cimv2\mdm\dmmap" +$className = "MDM_VPNv2_01" + +<#-- Define WMI Session --#> +$session = New-CimSession + +<#-- Detect and Delete Previous VPN Profile --#> +try +{ + $deleteInstances = $session.EnumerateInstances($namespaceName, $className, $options) + foreach ($deleteInstance in $deleteInstances) + { + $InstanceId = $deleteInstance.InstanceID + if ("$InstanceId" -eq "$ProfileNameEscaped") + { + $session.DeleteInstance($namespaceName, $deleteInstance, $options) + $Message = "Removed $ProfileName profile $InstanceId" + Write-Host "$Message" + } else { + $Message = "Ignoring existing VPN profile $InstanceId" + Write-Host "$Message" + } + } +} +catch [Exception] +{ + $Message = "Unable to remove existing outdated instance(s) of $ProfileName profile: $_" + Write-Host "$Message" + exit +} + +<#-- Create VPN Profile --#> +try +{ + $newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName + $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Key') + $newInstance.CimInstanceProperties.Add($property) + $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Key') + $newInstance.CimInstanceProperties.Add($property) + $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property') + $newInstance.CimInstanceProperties.Add($property) + + $session.CreateInstance($namespaceName, $newInstance, $options) + $Message = "Created $ProfileName profile." + Write-Host "$Message" + Write-Host "$ProfileName profile summary:" + $session.EnumerateInstances($namespaceName, $className, $options) +} +catch [Exception] +{ + $Message = "Unable to create $ProfileName profile: $_" + Write-Host "$Message" + exit +} + +$Message = "Script Complete" +Write-Host "$Message" + +``` + +An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file. + +>[!NOTE] +>This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace. + +```xml +truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contoso.com/proxy.pac +``` diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md index c3c19ee400..6d79db4dc3 100644 --- a/windows/security/information-protection/TOC.md +++ b/windows/security/information-protection/TOC.md @@ -38,7 +38,7 @@ ## [Encrypted Hard Drive](encrypted-hard-drive.md) -## [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md) +## [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md) ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md) ### [Create a WIP policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md) @@ -47,8 +47,8 @@ ##### [Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md) #### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) #### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md) -### [Create a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md) -#### [Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md) +### [Create a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\overview-create-wip-policy-configmgr.md) +#### [Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\create-wip-policy-using-configmgr.md) #### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) #### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md) ### [Mandatory tasks and settings required to turn on WIP](windows-information-protection\mandatory-settings-for-wip.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 56c13ecbbe..a7a7e7fce7 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -80,7 +80,9 @@ The server side configuration to enable Network Unlock also requires provisionin 1. The Windows boot manager detects that a Network Unlock protector exists in the BitLocker configuration. 2. The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address. -3. The client computer broadcasts a vendor-specific DHCP request that contains the Network Key (a 256-bit intermediate key) and an AES-256 session key for the reply. Both of these keys are encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server. +3. The client computer broadcasts a vendor-specific DHCP request that contains: + 1. A Network Key (a 256-bit intermediate key) encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server. + 2. An AES-256 session key for the reply. 4. The Network Unlock provider on the WDS server recognizes the vendor-specific request. 5. The provider decrypts it with the WDS server’s BitLocker Network Unlock certificate RSA private key. 6. The WDS provider then returns the network key encrypted with the session key using its own vendor-specific DHCP reply to the client computer. This forms an intermediate key. diff --git a/windows/security/information-protection/bitlocker/images/sccm-imageconfig.jpg b/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg similarity index 100% rename from windows/security/information-protection/bitlocker/images/sccm-imageconfig.jpg rename to windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 2f83a67ca2..18236c1ddf 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -111,7 +111,7 @@ list volume If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager). -![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/sccm-imageconfig.jpg) +![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/configmgr-imageconfig.jpg) #### Step 2: Verify the status of WinRE @@ -171,7 +171,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes You receive an error message that resembles the following: -> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable ‘SecureBoot’ could not be read. A required privilege is not held by the client. +> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client. ### Cause diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index d2a77a72e2..2bcfcf6622 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -23,12 +23,12 @@ ms.reviewer: - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. +If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices. >[!IMPORTANT] ->If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).

If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. +>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).

If your DRA certificate has expired, you won't be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. ## Manually create an EFS DRA certificate @@ -47,16 +47,16 @@ The recovery process included in this topic only works for desktop devices. WIP >[!Important] >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. -4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md). +4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md). > [!NOTE] > This certificate can be used in Intune for policies both _with_ device enrollment (MDM) and _without_ device enrollment (MAM). ## Verify your data recovery certificate is correctly set up on a WIP client computer -1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP. +1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it's encrypted by WIP. -2. Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP. +2. Open an app on your protected app list, and then create and save a file so that it's encrypted by WIP. 3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: @@ -89,7 +89,7 @@ It's possible that you might revoke data from an unenrolled device only to later Robocopy "%localappdata%\Microsoft\EDP\Recovery" "new_location" * /EFSRAW - Where "*new_location*" is in a different directory. This can be on the employee’s device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent. + Where "*new_location*" is in a different directory. This can be on the employee's device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent. To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**. @@ -109,12 +109,12 @@ It's possible that you might revoke data from an unenrolled device only to later 4. Ask the employee to lock and unlock the device. - The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. + The Windows Credential service automatically recovers the employee's previously revoked keys from the `Recovery\Input` location. ## Auto-recovery of encryption keys Starting with Windows 10, version 1709, WIP includes a data recovery feature that lets your employees auto-recover access to work files if the encryption key is lost and the files are no longer accessible. This typically happens if an employee reimages the operating system partition, removing the WIP key info, or if a device is reported as lost and you mistakenly target the wrong device for unenrollment. -To help make sure employees can always access files, WIP creates an auto-recovery key that’s backed up to their Azure Active Directory (Azure AD) identity. +To help make sure employees can always access files, WIP creates an auto-recovery key that's backed up to their Azure Active Directory (Azure AD) identity. The employee experience is based on sign in with an Azure AD work account. The employee can either: @@ -147,7 +147,7 @@ After signing in, the necessary WIP key info is automatically downloaded and emp - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md) -- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md) +- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) - [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md similarity index 78% rename from windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md rename to windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md index 9d1178639c..a5baa19809 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md @@ -25,10 +25,10 @@ ms.date: 01/09/2020 - Windows 10 Mobile, version 1607 and later - Microsoft Endpoint Configuration Manager -Microsoft Endpoint Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. +Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. ## Add a WIP policy -After you’ve installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. +After you've installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. >[!TIP] > Review the [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) article before creating a new configuration item to avoid common issues. @@ -37,16 +37,16 @@ After you’ve installed and set up Configuration Manager for your organization, 1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. - ![Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png) + ![Configuration Manager, Configuration Items screen](images/wip-configmgr-addpolicy.png) 2. Click the **Create Configuration Item** button.

The **Create Configuration Item Wizard** starts. - ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-sccm-generalscreen.png) + ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-configmgr-generalscreen.png) 3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. -4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Microsoft Endpoint Configuration Manager for device management, and then click **Next**. +4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**. - **Settings for devices managed with the Configuration Manager client:** Windows 10 @@ -56,25 +56,25 @@ The **Create Configuration Item Wizard** starts. 5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**. - ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-sccm-supportedplat.png) + ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-configmgr-supportedplat.png) 6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**. - ![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-sccm-devicesettings.png) + ![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-configmgr-devicesettings.png) The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. ## Add app rules to your policy -During the policy-creation process in Microsoft Endpoint Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. +During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. >[!IMPORTANT] ->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. +>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. ### Add a store app rule to your policy -For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. +For this example, we're going to add Microsoft OneNote, a store app, to the **App Rules** list. **To add a store app** @@ -82,13 +82,13 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the ** The **Add app rule** box appears. - ![Create Configuration Item wizard, add a universal store app](images/wip-sccm-adduniversalapp.png) + ![Create Configuration Item wizard, add a universal store app](images/wip-configmgr-adduniversalapp.png) -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. +2. Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. + Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. 4. Pick **Store App** from the **Rule template** drop-down list. @@ -122,7 +122,7 @@ If you don't know the publisher or product name, you can find them for both desk 4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune. > [!IMPORTANT] - > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

For example:

+ > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`.

For example:

> ```json > { > "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", @@ -150,7 +150,7 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. > [!IMPORTANT] - > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. + > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`. > For example:

> ```json > { @@ -159,20 +159,20 @@ If you don't know the publisher or product name, you can find them for both desk > ``` ### Add a desktop app rule to your policy -For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. +For this example, we're going to add Internet Explorer, a desktop app, to the **App Rules** list. **To add a desktop app to your policy** 1. From the **App rules** area, click **Add**. The **Add app rule** box appears. - ![Create Configuration Item wizard, add a classic desktop app](images/wip-sccm-adddesktopapp.png) + ![Create Configuration Item wizard, add a classic desktop app](images/wip-configmgr-adddesktopapp.png) -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. +2. Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. + Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. 4. Pick **Desktop App** from the **Rule template** drop-down list. @@ -186,7 +186,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the

- + @@ -215,7 +215,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the
IssueMore information +
Blocking apps specified in a user-targeted Enrollment Status Profile are ignored during device ESP.The services responsible for determining the list of apps that should be blocking during device ESP are not able to determine the correct ESP profile containing the list of apps because they do not know the user identity. As a workaround, enable the default ESP profile (which targets all users and devices) and place the blocking app list there. In the future, it will be possible to instead target the ESP profile to device groups to avoid this issue.
Windows Autopilot user-driven Hybrid Azure AD deployments do not grant users Administrator rights even when specified in the Windows Autopilot profile. This will occur when there is another user on the device that already has Administrator rights. For example, a PowerShell script or policy could create an additional local account that is a member of the Administrators group. To ensure this works properly, do not create an additional account until after the Windows Autopilot process has completed.
Manages
All fields left as “*”All fields left as "*" All files signed by any publisher. (Not recommended.)
-If you’re unsure about what to include for the publisher, you can run this PowerShell command: +If you're unsure about what to include for the publisher, you can run this PowerShell command: ```ps1 Get-AppLockerFileInformation -Path "" @@ -232,7 +232,7 @@ Path Publisher Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. ### Add an AppLocker policy file -For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. +For this example, we're going to add an AppLocker XML file to the **App Rules** list. You'll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. **To create an app rule and xml file using the AppLocker tool** 1. Open the Local Security Policy snap-in (SecPol.msc). @@ -257,7 +257,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) -7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos. +7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos. ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) @@ -277,7 +277,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. - The policy is saved and you’ll see a message that says 1 rule was exported from the policy. + The policy is saved and you'll see a message that says 1 rule was exported from the policy. **Example XML file**
This is the XML file that AppLocker creates for Microsoft Photos. @@ -299,7 +299,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* ``` -12. After you’ve created your XML file, you need to import it by using Microsoft Endpoint Configuration Manager. +12. After you've created your XML file, you need to import it by using Configuration Manager. **To import your Applocker policy file app rule using Configuration Manager** @@ -307,13 +307,13 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* The **Add app rule** box appears. - ![Create Configuration Item wizard, add an AppLocker policy](images/wip-sccm-addapplockerfile.png) + ![Create Configuration Item wizard, add an AppLocker policy](images/wip-configmgr-addapplockerfile.png) -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. +2. Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. + Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. 4. Pick the **AppLocker policy file** from the **Rule template** drop-down list. @@ -332,13 +332,13 @@ If you're running into compatibility issues where your app is incompatible with The **Add app rule** box appears. -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. +2. Add a friendly name for your app into the **Title** box. In this example, it's *Exempt apps list*. 3. Click **Exempt** from the **Windows Information Protection mode** drop-down list. - Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. + Be aware that when you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. -4. Fill out the rest of the app rule info, based on the type of rule you’re adding: +4. Fill out the rest of the app rule info, based on the type of rule you're adding: - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. @@ -360,13 +360,13 @@ We recommend that you start with **Silent** or **Override** while verifying with |-----|------------| |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. | -|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| -|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| +|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would've been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| +|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on.| -![Create Configuration Item wizard, choose your WIP-protection level](images/wip-sccm-appmgmt.png) +![Create Configuration Item wizard, choose your WIP-protection level](images/wip-configmgr-appmgmt.png) ## Define your enterprise-managed identity domains -Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. +Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. @@ -374,16 +374,16 @@ You can specify multiple domains owned by your enterprise by separating them wit - Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. - ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-sccm-corp-identity.png) + ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-configmgr-corp-identity.png) ## Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. -There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). +There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise's range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). >[!IMPORTANT] >Every WIP policy should include policy that defines your enterprise network locations.
->Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. +>Classless Inter-Domain Routing (CIDR) notation isn't supported for WIP configurations. **To define where your protected apps can find and send enterprise data on you network** @@ -393,7 +393,7 @@ There are no default locations included with WIP, you must add each of your netw 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. - ![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-sccm-add-network-domain.png) + ![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-configmgr-add-network-domain.png) @@ -404,7 +404,7 @@ There are no default locations included with WIP, you must add each of your netw - + @@ -414,12 +414,12 @@ There are no default locations included with WIP, you must add each of your netw - + -
+
@@ -442,7 +442,7 @@ There are no default locations included with WIP, you must add each of your netw 4. Decide if you want to Windows to look for additional network settings and if you want to show the WIP icon on your corporate files while in File Explorer. - ![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-sccm-optsettings.png) + ![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-configmgr-optsettings.png) - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option. @@ -452,16 +452,16 @@ There are no default locations included with WIP, you must add each of your netw 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-sccm-dra.png) + ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-configmgr-dra.png) - After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. + After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). ## Choose your optional WIP-related settings -After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. +After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings. -![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-sccm-additionalsettings.png) +![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-configmgr-additionalsettings.png) **To set your optional settings** 1. Choose to set any or all of the optional settings: @@ -478,13 +478,13 @@ After you've decided where your protected apps can access enterprise data on you - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. - - **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + - **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. + - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you're migrating between Mobile Device Management (MDM) solutions. - - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you don’t specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to. + - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you don't specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to. 2. After you pick all of the settings you want to include, click **Summary**. @@ -494,12 +494,12 @@ After you've finished configuring your policy, you can review all of your info o **To view the Summary screen** - Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy. - ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-sccm-summaryscreen.png) + ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-configmgr-summaryscreen.png) A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page. ## Deploy the WIP policy -After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics: +After you've created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics: - [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224) - [How to Create Configuration Baselines for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708225) diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md index 47d4db6ed7..684b78d8e2 100644 --- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md +++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md @@ -82,7 +82,7 @@ When you create a sensitivity label, you can specify that the label be added to ![Sensitivity labels](images/sensitivity-label-auto-label.png) -A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver’s license numbers, and so on. +A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver's license numbers, and so on. You can also [create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type), which can include any keyword or expression that you want to evaluate. ### Protection @@ -110,7 +110,7 @@ You can see sensitive information types in Microsoft 365 compliance under **Clas - Auto labelling requires Windows 10, version 1903 - Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy - [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center -- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-sccm.md) +- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-configmgr.md) diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-add-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-add-network-domain.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-addpolicy.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-addpolicy.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-corp-identity.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-corp-identity.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-devicesettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-devicesettings.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-dra.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-dra.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-network-domain.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-summaryscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-summaryscreen.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-supportedplat.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png similarity index 100% rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-supportedplat.png rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md similarity index 88% rename from windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md rename to windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md index fc7e101613..a1e662c65e 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md @@ -28,6 +28,6 @@ Microsoft Endpoint Configuration Manager helps you create and deploy your enterp ## In this section |Topic |Description | |------|------------| -|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | +|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | |[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). | diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index 0ef906a2b3..961744bbf6 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -56,7 +56,7 @@ You can try any of the processes included in these scenarios, but you should foc diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 692cb8899b..99d33dcb26 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -6,6 +6,7 @@ ### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) ### [Preview features](microsoft-defender-atp/preview.md) ### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md) +### [Overview of Microsoft Defender Security Center](microsoft-defender-atp/use.md) ### [Portal overview](microsoft-defender-atp/portal-overview.md) ### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md) @@ -27,7 +28,7 @@ ### [Threat & Vulnerability Management]() #### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) #### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md) -#### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md) +#### [Dashboard insights](microsoft-defender-atp/tvm-dashboard-insights.md) #### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) #### [Configuration score](microsoft-defender-atp/configuration-score.md) #### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md) @@ -443,7 +444,7 @@ ### [Configure integration with other Microsoft solutions]() #### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md) #### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md) -#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md) + ## Reference @@ -583,7 +584,7 @@ ##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md) ##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) ##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md) -##### [Configure HP ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md) +##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md) ##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md) ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) ##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 35ac0e33f0..039851e80d 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -77,7 +77,7 @@ To further reinforce the security perimeter of your network, Microsoft Defender - [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) - [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) - [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md) +- [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus) - [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md index be304c5715..fcd89c3a81 100644 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md @@ -26,7 +26,6 @@ Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https:// Windows Defender Antivirus is the [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) capability in the [Microsoft Defender ATP Windows 10 security stack](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) that addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign). That's because Windows Defender Antivirus and other [endpoint protection platform (EPP)](https://www.microsoft.com/security/blog/2019/08/23/gartner-names-microsoft-a-leader-in-2019-endpoint-protection-platforms-magic-quadrant/) capabilities in Microsoft Defender ATP detect and stops malware at first sight with [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak), behavioral analysis, and other advanced technologies.

-![String of images showing scores](./images/Transparency-report-November1.png) **Download the latest transparency report: [Examining industry test results, November 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)** @@ -54,7 +53,7 @@ The AV-TEST Product Review and Certification Report tests on three categories: p - September — October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD) -### AV-Comparatives: Protection rating of 99.9% in the latest test +### AV-Comparatives: Protection rating of 99.6% in the latest test Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance. diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index f1b9737820..da5160567b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -30,9 +30,9 @@ Your attack surface is the total number of places where an attacker could compro Attack surface reduction rules target software behaviors that are often abused by attackers, such as: -* Launching executable files and scripts that attempt to download or run files -* Running obfuscated or otherwise suspicious scripts -* Performing behaviors that apps don't usually initiate during normal day-to-day work +- Launching executable files and scripts that attempt to download or run files +- Running obfuscated or otherwise suspicious scripts +- Performing behaviors that apps don't usually initiate during normal day-to-day work These behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe. @@ -44,9 +44,11 @@ For more information about configuring attack surface reduction rules, see [Enab ## Attack surface reduction features across Windows versions -You can set attack surface reduction rules for computers running Windows 10 versions 1709 and 1803 or later, Windows Server version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. +You can set attack surface reduction rules for computers running the following versions of Windows: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) (Semi-Annual Channel) or later -To use the entire feature-set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license, you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events. +To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events. ## Review attack surface reduction events in the Microsoft Defender Security Center @@ -77,11 +79,11 @@ You can review the Windows event log to view events generated by attack surface This will create a custom view that filters events to only show the following, all of which are related to controlled folder access: -Event ID | Description --|- -5007 | Event when settings are changed -1121 | Event when rule fires in Block-mode -1122 | Event when rule fires in Audit-mode +|Event ID | Description | +|---|---| +|5007 | Event when settings are changed | +|1121 | Event when rule fires in Block-mode | +|1122 | Event when rule fires in Audit-mode | The "engine version" listed for attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not by the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all devices with Windows 10 installed. @@ -89,38 +91,42 @@ The "engine version" listed for attack surface reduction events in the event log The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs: - Rule name | GUID | File & folder exclusions --|-|- -[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported -[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported -[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported -[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported -[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported -[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported -[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported -[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported -[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported -[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported -[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Supported -[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported -[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported -[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported -[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported +| Rule name | GUID | File & folder exclusions | Minimum OS supported | +|-----|----|---|---| +|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Not supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | ### Block executable content from email client and webmail This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers: -* Executable files (such as .exe, .dll, or .scr) -* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) +- Executable files (such as .exe, .dll, or .scr) +- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Microsoft Endpoint Configuration Manager CB 1710 +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Microsoft Endpoint Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) Microsoft Endpoint Configuration Manager name: Block executable content from email client and webmail -GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 +GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` ### Block all Office applications from creating child processes @@ -128,27 +134,35 @@ This rule blocks Office apps from creating child processes. This includes Word, Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710 +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Office apps launching child processes Configuration Manager name: Block Office application from creating child processes -GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A +GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` ### Block Office applications from creating executable content This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk. - Malware that abuse Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. + Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager) Intune name: Office apps/macros creating executable content SCCM name: Block Office applications from creating executable content -GUID: 3B576869-A4EC-4529-8536-B80A7769E899 +GUID: `3B576869-A4EC-4529-8536-B80A7769E899` ### Block Office applications from injecting code into other processes @@ -160,13 +174,17 @@ There are no known legitimate business purposes for using code injection. This rule applies to Word, Excel, and PowerPoint. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710 +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Office apps injecting code into other processes (no exceptions) Configuration Manager name: Block Office applications from injecting code into other processes -GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` ### Block JavaScript or VBScript from launching downloaded executable content @@ -177,13 +195,17 @@ Although not common, line-of-business applications sometimes use scripts to down > [!IMPORTANT] > File and folder exclusions don't apply to this attack surface reduction rule. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710 +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: js/vbs executing payload downloaded from Internet (no exceptions) Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content -GUID: D3E037E1-3EB8-44C8-A917-57927947596D +GUID: `D3E037E1-3EB8-44C8-A917-57927947596D` ### Block execution of potentially obfuscated scripts @@ -191,13 +213,17 @@ This rule detects suspicious properties within an obfuscated script. Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710 +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Obfuscated js/vbs/ps/macro code Configuration Manager name: Block execution of potentially obfuscated scripts. -GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC +GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` ### Block Win32 API calls from Office macros @@ -205,37 +231,42 @@ This rule prevents VBA macros from calling Win32 APIs. Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710 +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Win32 imports from Office macro code Configuration Manager name: Block Win32 API calls from Office macros -GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` ### Block executable files from running unless they meet a prevalence, age, or trusted list criterion This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list: -* Executable files (such as .exe, .dll, or .scr) +- Executable files (such as .exe, .dll, or .scr) -Launching untrusted or unknown executable files can be risky, as it may not not be initially clear if the files are malicious. - -> [!NOTE] -> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule. +Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious. > [!IMPORTANT] -> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. +> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.

The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. > >You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to. -This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802 +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Executables that don't meet a prevalence, age, or trusted list criteria. Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria -GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 +GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25` ### Use advanced protection against ransomware @@ -244,13 +275,17 @@ This rule provides an extra layer of protection against ransomware. It scans exe > [!NOTE] > You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule. -This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802 +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Advanced ransomware protection Configuration Manager name: Use advanced protection against ransomware -GUID: c1db55ab-c21a-4637-bb3f-a12568109d35 +GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` ### Block credential stealing from the Windows local security authority subsystem @@ -261,13 +296,17 @@ LSASS authenticates users who log in to a Windows computer. Microsoft Defender C > [!NOTE] > In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. -This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802 +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Flag credential stealing from the Windows local security authority subsystem Configuration Manager name: Block credential stealing from the Windows local security authority subsystem -GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 +GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` ### Block process creations originating from PSExec and WMI commands @@ -276,13 +315,16 @@ This rule blocks processes created through [PsExec](https://docs.microsoft.com/s > [!WARNING] > Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly. -This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019 +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) Intune name: Process creation from PSExec and WMI commands Configuration Manager name: Not applicable -GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c +GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c` ### Block untrusted and unsigned processes that run from USB @@ -291,13 +333,17 @@ With this rule, admins can prevent unsigned or untrusted executable files from r * Executable files (such as .exe, .dll, or .scr) * Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802 +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: Untrusted and unsigned processes that run from USB Configuration Manager name: Block untrusted and unsigned processes that run from USB -GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 +GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` ### Block Office communication application from creating child processes @@ -308,13 +354,16 @@ This protects against social engineering attacks and prevents exploit code from > [!NOTE] > This rule applies to Outlook and Outlook.com only. -This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019 +This rule was introduced in: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) Intune name: Process creation from Office communication products (beta) Configuration Manager name: Not yet available -GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869 +GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869` ### Block Adobe Reader from creating child processes @@ -322,13 +371,16 @@ This rule prevents attacks by blocking Adobe Reader from creating additional pro Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading. -This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019 +This rule was introduced in: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) Intune name: Process creation from Adobe Reader (beta) Configuration Manager name: Not yet available -GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` ### Block persistence through WMI event subscription @@ -336,17 +388,22 @@ This rule prevents malware from abusing WMI to attain persistence on a device. Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. -This rule was introduced in: Windows 10 1903, Windows Server 1903 +This rule was introduced in: +- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) +- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909) Intune name: Block persistence through WMI event subscription Configuration Manager name: Not yet available -GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b +GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b` ## Related topics -* [Attack surface reduction FAQ](attack-surface-reduction.md) -* [Enable attack surface reduction rules](enable-attack-surface-reduction.md) -* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) -* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md) +- [Attack surface reduction FAQ](attack-surface-reduction.md) + +- [Enable attack surface reduction rules](enable-attack-surface-reduction.md) + +- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) + +- [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index 0b7d271c77..70890b48ee 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -1,7 +1,7 @@ --- -title: Configure HP ArcSight to pull Microsoft Defender ATP detections -description: Configure HP ArcSight to receive and pull detections from Microsoft Defender Security Center -keywords: configure hp arcsight, security information and events management tools, arcsight +title: Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections +description: Configure Micro Focus ArcSight to receive and pull detections from Microsoft Defender Security Center +keywords: configure Micro Focus ArcSight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Configure HP ArcSight to pull Microsoft Defender ATP detections +# Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections **Applies to:** @@ -28,14 +28,15 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) -You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP detections. +You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Microsoft Defender ATP detections. >[!Note] >- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ## Before you begin -Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application. + +Configuring the Micro Focus ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application. This section guides you in getting the necessary information to set and use the required configuration files correctly. @@ -50,7 +51,7 @@ This section guides you in getting the necessary information to set and use the - WDATP-connector.properties - WDATP-connector.jsonparser.properties - You would have saved a .zip file which contains these two files when you chose HP ArcSight as the SIEM type you use in your organization. + You would have saved a .zip file which contains these two files when you chose Micro Focus ArcSight as the SIEM type you use in your organization. - Make sure you generate the following tokens and have them ready: - Access token @@ -58,7 +59,8 @@ This section guides you in getting the necessary information to set and use the You can generate these tokens from the **SIEM integration** setup section of the portal. -## Install and configure HP ArcSight FlexConnector +## Install and configure Micro Focus ArcSight FlexConnector + The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). 1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.

You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location. @@ -79,8 +81,9 @@ The following steps assume that you have completed all the required steps in [Be - WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\ - NOTE: - You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool. + > [!NOTE] + > + > You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool. 4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**. @@ -114,30 +117,36 @@ The following steps assume that you have completed all the required steps in [Be -
Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.
Enterprise Network Domain Names (Required)
Proxy servers proxy.contoso.com:80;proxy2.contoso.com:443Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.

If you have multiple resources, you must separate them using the ";" delimiter.		Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.

This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.

If you have multiple resources, you must separate them using the ";" delimiter.
Internal proxy servers contoso.internalproxy1.com;contoso.internalproxy2.comSpecify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.

If you have multiple resources, you must separate them using the ";" delimiter.
Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.

This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.

If you have multiple resources, you must separate them using the ";" delimiter.
Enterprise IPv4 Range (Required) Starting IPv4 Address: 3.4.0.1
Ending IPv4 Address: 3.4.255.254
Custom URI: 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254		Create work documents in enterprise-allowed apps. For desktop:

For mobile:

    @@ -113,7 +113,7 @@ You can try any of the processes included in these scenarios, but you should foc
    1. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
      Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
    2. Open File Explorer and make sure your modified files are appearing with a Lock icon.
      3. -
    3. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

      Note
      Most Windows-signed components like File Explorer (when running in the user’s context), should have access to enterprise data.

      A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
      4. +
    4. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

      Note
      Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.

      A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.

7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.

- If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.

If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate. +
+ +7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate. -7. Continue with the connector setup by returning to the HP ArcSight Connector Setup window. + If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https. + + If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate. -8. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**. +8. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window. -9. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**. +9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**. -10. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**. +10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**. -11. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported. +11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**. -12. Verify that the details in the **Add connector Summary** window is correct, then click **Next**. +12. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported. -13. Select **Install as a service** and click **Next**. +13. Verify that the details in the **Add connector Summary** window is correct, then click **Next**. -14. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**. +14. Select **Install as a service** and click **Next**. -15. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**. +15. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**. -16. Finish the installation by selecting **Exit** and **Next**. +16. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**. + +17. Finish the installation by selecting **Exit** and **Next**. + +## Install and configure the Micro Focus ArcSight console -## Install and configure the HP ArcSight console 1. Follow the installation wizard through the following tasks: - Introduction - License Agreement @@ -158,18 +167,19 @@ The following steps assume that you have completed all the required steps in [Be 7. Click **Done** to quit the installer. -8. Login to the HP ArcSight console. +8. Login to the Micro Focus ArcSight console. 9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**. 10. Set **Device Product = Microsoft Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST. -You can now run queries in the HP ArcSight console. +You can now run queries in the Micro Focus ArcSight console. Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. -## Troubleshooting HP ArcSight connection +## Troubleshooting Micro Focus ArcSight connection + **Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`. **Symptom:** You get the following error message: @@ -177,7 +187,9 @@ Microsoft Defender ATP detections will appear as discrete events, with "Microsof `Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token` **Solution:** + 1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?". + 2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value: `reauthenticate=true`. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md index 09cd520b12..c5d535a96e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md @@ -34,7 +34,7 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh ## Before you begin If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully. -For more information on enabling MDM with Microsoft Intune, see [Setup Windows Device Management](https://docs.microsoft.com/intune-classic/deploy-use/set-up-windows-device-management-with-microsoft-intune). +For more information on enabling MDM with Microsoft Intune, see [Device enrollment (Microsoft Intune)](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment). ## Onboard machines using Microsoft Intune diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 371aa16ecd..7fbe2b455b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -31,7 +31,7 @@ ms.topic: article > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink) -Microsoft Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Microsoft Defender Security Center console. +Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console. The service supports the onboarding of the following servers: - Windows Server 2008 R2 SP1 @@ -46,7 +46,7 @@ For a practical guidance on what needs to be in place for licensing and infrastr > [!NOTE] > An Azure Security Center Standard license is required, per node, to enroll Microsoft Defender ATP on a supported Windows Server platform, see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services) -## Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016 +## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP: @@ -77,7 +77,7 @@ You'll need to take the following steps if you choose to onboard servers through > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2. - Turn on server monitoring from Microsoft Defender Security Center. -- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). +- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). > [!TIP] @@ -87,7 +87,7 @@ You'll need to take the following steps if you choose to onboard servers through > [!IMPORTANT] > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. -Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. +Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. The following steps are required to enable this integration: - Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) @@ -100,7 +100,7 @@ The following steps are required to enable this integration: 2. Select Windows Server 2012 R2 and 2016 as the operating system. -3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. +3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. @@ -126,7 +126,7 @@ Once completed, you should see onboarded servers in the portal within an hour. ## Windows Server, version 1803 and Windows Server 2019 -To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below. +To onboard Windows Server, version 1803 or Windows Server 2019, refer to the supported methods and versions below. > [!NOTE] > The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs). @@ -140,11 +140,11 @@ Supported tools include: For more information, see [Onboard Windows 10 machines](configure-endpoints.md). -Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. +Support for Windows Server, provide deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md). -2. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly: +2. If you're running a third-party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings. Verify that it was configured correctly: a. Set the following registry entry: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` @@ -165,17 +165,17 @@ Support for Windows Server, version 1803 and Windows 2019 provides deeper insigh ```sc query Windefend``` - If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). + If the result is 'The specified service does not exist as an installed service', then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). ## Integration with Azure Security Center -Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers. +Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers. The following capabilities are included in this integration: - Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). > [!NOTE] - > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. + > Automated onboarding is only applicable for Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016. - Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console. - Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md index a1d4579881..0786bb44f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md @@ -76,6 +76,9 @@ See the [attack surface reduction](attack-surface-reduction.md) topic for detail 4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. +> [!WARNING] +> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column. + ### Use PowerShell to exclude files and folders 1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 655d13f73e..9b5990bdb7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -131,10 +131,13 @@ Value: c:\path|e:\path|c:\Whitelisted.exe 5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. +> [!WARNING] +> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column. + ## PowerShell ->[!WARNING] ->If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. +> [!WARNING] +> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. 1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index a003bd5a09..f408e29140 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -67,6 +67,8 @@ Enable security information and event management (SIEM) integration so you can p > [!NOTE] > You'll need to generate a new Refresh token every 90 days. +6. Follow the instructions for [creating an Azure AD app registration for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) and assign the correct permissions to it to read alerts. + You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center. ## Integrate Microsoft Defender ATP with IBM QRadar diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md index da28a46770..1d9da1a791 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md @@ -58,6 +58,9 @@ Event ID | Description 1124 | Audited controlled folder access event 1123 | Blocked controlled folder access event +> [!TIP] +> You can configure a [Windows Event Forwarding subscription](https://docs.microsoft.com/windows/win32/wec/setting-up-a-source-initiated-subscription) to collect the logs centrally. + ## Customize protected folders and apps During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files. diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-confirm.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-confirm.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-device-collection.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-device-collection.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-policy.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-policy.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-criteria.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-criteria.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-device-collections.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-device-collections.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-direct-membership.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-direct-membership.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-limiting-collection.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-limiting-collection.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-membership-rules.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-membership-rules.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-policy-name.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-policy-name.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-query-rule.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-query-rule.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-dashboard.png new file mode 100644 index 0000000000..94df3bad5b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-dashboard.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png new file mode 100644 index 0000000000..a08711f23f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-1.png new file mode 100644 index 0000000000..1e1e039268 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-1.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-10.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-10.png new file mode 100644 index 0000000000..a03e0732c7 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-10.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-11.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-11.png new file mode 100644 index 0000000000..5d1d428e9c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-11.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-12.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-12.png new file mode 100644 index 0000000000..ba0576849e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-12.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-13.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-13.png new file mode 100644 index 0000000000..4854fa9f2f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-13.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-14.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-14.png new file mode 100644 index 0000000000..3f1eb5d2b1 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-14.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-15.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-15.png new file mode 100644 index 0000000000..9a4fbebf8a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-15.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-16.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-16.png new file mode 100644 index 0000000000..7928a984a4 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-16.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-17.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-17.png new file mode 100644 index 0000000000..1c81f3d4f0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-17.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-18.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-18.png new file mode 100644 index 0000000000..86de17e266 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-18.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-19.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-19.png new file mode 100644 index 0000000000..eb8b56ee9b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-19.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-2.png new file mode 100644 index 0000000000..6754cafb4a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-20.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-20.png new file mode 100644 index 0000000000..da1c678a78 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-20.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-21.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-21.png new file mode 100644 index 0000000000..b1c10100a8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-21.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-22.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-22.png new file mode 100644 index 0000000000..4e584cf8ff Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-22.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-23.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-23.png new file mode 100644 index 0000000000..409a17bd31 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-23.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-24.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-24.png new file mode 100644 index 0000000000..eff967231f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-24.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-25.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-25.png new file mode 100644 index 0000000000..633bdd07fc Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-25.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-26.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-26.png new file mode 100644 index 0000000000..4fa5bcefbd Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-26.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-27.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-27.png new file mode 100644 index 0000000000..57475dbc33 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-27.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-28.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-28.png new file mode 100644 index 0000000000..8049e9ff17 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-28.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-29.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-29.png new file mode 100644 index 0000000000..b66bf94eed Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-29.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-3.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-3.png new file mode 100644 index 0000000000..ac9b6fdbe0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-3.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-30.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-30.png new file mode 100644 index 0000000000..34013530b7 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-30.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-4.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-4.png new file mode 100644 index 0000000000..ec02855c2e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-4.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-5.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-5.png new file mode 100644 index 0000000000..3ca2697396 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-5.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-6.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-6.png new file mode 100644 index 0000000000..bae2cefcb1 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-6.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-7.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-7.png new file mode 100644 index 0000000000..6b88d7c627 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-7.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-8.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-8.png new file mode 100644 index 0000000000..7d6da4c656 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-8.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-9.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-9.png new file mode 100644 index 0000000000..73d85b26ad Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-9.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/msdefender-mac-config-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/msdefender-mac-config-profile.png new file mode 100644 index 0000000000..9106d38d7e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/msdefender-mac-config-profile.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png new file mode 100644 index 0000000000..c7c9c0b861 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png new file mode 100644 index 0000000000..48af27eb1f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout.png new file mode 100644 index 0000000000..a066310eae Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png new file mode 100644 index 0000000000..5a7ce86cbd Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png new file mode 100644 index 0000000000..d8b73ba265 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png deleted file mode 100644 index cf9f274980..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png deleted file mode 100644 index 9af2ad6945..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md deleted file mode 100644 index eb0adb5890..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md +++ /dev/null @@ -1,95 +0,0 @@ ---- -title: Configure information protection in Windows -ms.reviewer: -description: Learn how to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin. -keywords: information, protection, data, loss, prevention, wip, policy, scc, compliance, labels, dlp -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Configure information protection in Windows - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -[!include[Prerelease information](../../includes/prerelease.md)] - -Learn how you can use Microsoft Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin. - ->[!TIP] -> Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/). - -If a file meets the criteria set in the policy settings and endpoint data loss prevention setting is also configured, WIP will be enabled for that file. - - - -## Prerequisites -- Endpoints need to be on Windows 10, version 1809 or later -- You need the appropriate license to use the Microsoft Defender ATP and Azure Information Protection integration -- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information, see [Configure a Log Analytics workspace for the reports](https://docs.microsoft.com/azure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports) - - -## Configure endpoint data loss prevention -Complete the following steps so that Microsoft Defender ATP can automatically identify labeled documents stored on the device and enable WIP on them. - ->[!NOTE] ->- The Microsoft Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy. ->- Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information Protection data. - -1. Define a WIP policy and assign it to the relevant devices. For more information, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). If WIP is already configured on the relevant devices, skip this step. -2. Define which labels need to get WIP protection in Office 365 Security and Compliance. - - 1. Go to: **Classifications > Labels**. - 2. Create a label or edit an existing one. - 3. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP. - - ![Image of Office 365 Security and Compliance sensitivity label](images/endpoint-data-loss-protection.png) - - 4. Repeat for every label that you want to get WIP applied to in Windows. - - - - -## Configure auto labeling - -Windows automatically detects when an Office file, CSV, or TXT files are being created on a device and inspects it based on context to identify sensitive information types. - -Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled. The file is protected with Endpoint data loss prevention. - ->[!NOTE] -> Auto-labeling requires Windows 10, version 1903. - - -1. In Office 365 Security & Compliance, go to **Classifications > Labels**. - -2. Create a new label or edit an existing one. - - -3. Set a policy for Data classification: - - 1. Go through the label creation wizard. - 2. When you reach the Auto labeling page, turn on auto labeling toggle on. - 3. Add a new auto-labeling rule with the conditions that you require. - - ![Image of auto labeling in Office 365 Security and Compliance center](images/auto-labeling.png) - - 4. Validate that "When content matches these conditions" setting is set to "Automatically apply the label". - - - - - - -## Related topic -- [Information protection in Windows overview](information-protection-in-windows-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md index 800351a160..34cb228572 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md @@ -27,7 +27,6 @@ ms.topic: conceptual Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. -Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite. >[!TIP] > Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/). @@ -95,36 +94,6 @@ InformationProtectionLogs_CL - Enable Azure Information Protection integration in Microsoft Defender Security Center: - Go to **Settings** in Microsoft Defender Security Center, click on **Advanced Settings** under **General**. -## Data protection - -### Endpoint data loss prevention - -For data to be protected, they must first be identified through labels. - -Sensitivity labels are created in Office 365 Security & Compliance Center. Microsoft Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them. - -When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Microsoft Defender ATP is the Endpoint data loss prevention. - -For the endpoint data loss prevention, you'll need to turn on the Endpoint Data loss prevention and select Enable Windows end point protection (DLP for devices). - -![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png) - -Once, the policy is set and published, Microsoft Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Microsoft Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy. - -This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin. - -For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md). - -## Auto labeling - -Auto labeling is another way to protect data and can also be configured in Office 365 Security & Compliance Center. Windows automatically detects when an Office file, PDF, CSV or TXT files are being created on a device and inspects it based on context to identify sensitive information types. - -Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled; the file is protected with Endpoint data loss prevention. - -> [!NOTE] -> Auto-labeling is supported in Office apps only when the Azure Information Protection unified labeling client is installed. When sensitive content is detected in email or documents matching the conditions you choose, a label can automatically be applied or a message can be shown to users recommending they apply it themselves. - -For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md). ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 1ea46c138a..5d6395cdf9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -43,6 +43,9 @@ The choice of the channel determines the type and frequency of updates that are In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. +> [!WARNING] +> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location. + ### RHEL and variants (CentOS and Oracle Linux) - Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`. @@ -201,15 +204,19 @@ Download the onboarding package from Microsoft Defender Security Center: 4. From a command prompt, verify that you have the file. Extract the contents of the archive: - ```bash - ls -l - total 8 - -rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip +```bash +ls -l +``` - unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py - ``` +`total 8` +`-rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip` + +```bash +unzip WindowsDefenderATPOnboardingPackage.zip +``` + +`Archive: WindowsDefenderATPOnboardingPackage.zip` +`inflating: WindowsDefenderATPOnboarding.py` ## Client configuration @@ -231,14 +238,12 @@ Download the onboarding package from Microsoft Defender Security Center: ```bash mdatp --health orgId - [your organization identifier] ``` 4. A few minutes after you complete the installation, you can see the status by running the following command. A return value of `1` denotes that the product is functioning as expected: ```bash mdatp --health healthy - 1 ``` > [!IMPORTANT] @@ -248,22 +253,21 @@ Download the onboarding package from Microsoft Defender Security Center: - Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command): - ```bash - mdatp --health realTimeProtectionEnabled - 1 - ``` + ```bash + mdatp --health realTimeProtectionEnabled + ``` - Open a Terminal window. Copy and execute the following command: - ``` bash - curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt - ``` + ``` bash + curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt + ``` - The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command to list all the detected threats: - ```bash - mdatp --threat --list --pretty - ``` + ```bash + mdatp --threat --list --pretty + ``` ## Log installation issues diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index 373d409cfd..d097245cf8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -139,6 +139,9 @@ Create subtask or role files that contribute to an actual task. First create the In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. + > [!WARNING] + > Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location. + Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`. In the following commands, replace *[distro]* and *[version]* with the information you've identified. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 89133920ec..92c721fedf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -1,6 +1,6 @@ --- title: Deploy Microsoft Defender ATP for Linux with Puppet -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for Linux using Puppet. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh @@ -14,7 +14,7 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- @@ -48,7 +48,7 @@ Download the onboarding package from Microsoft Defender Security Center: ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png) 4. From a command prompt, verify that you have the file. Extract the contents of the archive: - + ```bash $ ls -l total 8 @@ -60,7 +60,7 @@ Download the onboarding package from Microsoft Defender Security Center: ## Create a Puppet manifest -You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* module available from puppetlabs, and assumes that the apt module has been installed on your Puppet server. +You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server. Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions: @@ -84,46 +84,74 @@ The choice of the channel determines the type and frequency of updates that are In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. +> [!WARNING] +> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location. + Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`. In the below commands, replace *[distro]* and *[version]* with the information you've identified: > [!NOTE] -> In case of Oracle Linux, replace *[distro]* with “rhel”. +> In case of RedHat, Oracle EL, and CentOS 8, replace *[distro]* with 'rhel'. ```puppet -class install_mdatp { +# Puppet manifest to install Microsoft Defender ATP. +# @param channel The release channel based on your environment, insider-fast or prod. +# @param distro The Linux distribution in lowercase. In case of RedHat, Oracle EL, and CentOS 8, the distro variable should be 'rhel'. +# @param version The Linux distribution release number, e.g. 7.4. - if ($osfamily == 'Debian') { - apt::source { 'microsoftpackages' : - location => 'https://packages.microsoft.com/[distro]/[version]/prod', # change the version and distro based on your OS - release => '[channel]', - repos => 'main', - key => { - 'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF', - 'server' => 'https://packages.microsoft.com/keys/microsoft.asc', - }, +class install_mdatp ( +$channel = 'insiders-fast', +$distro = undef, +$version = undef +){ + case $::osfamily { + 'Debian' : { + apt::source { 'microsoftpackages' : + location => "https://packages.microsoft.com/${distro}/${version}/prod", + release => $channel, + repos => 'main', + key => { + 'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF', + 'server' => 'keyserver.ubuntu.com', + }, + } } - } - else { - yumrepo { 'microsoftpackages' : - baseurl => 'https://packages.microsoft.com/[distro]/[version]/[channel]', # change the version and distro based on your OS - enabled => 1, - gpgcheck => 1, - gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc' + 'RedHat' : { + yumrepo { 'microsoftpackages' : + baseurl => "https://packages.microsoft.com/${distro}/${version}/${channel}", + descr => "packages-microsoft-com-prod-${channel}", + enabled => 1, + gpgcheck => 1, + gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc' + } } + default : { fail("${::osfamily} is currently not supported.") } } - package { 'mdatp': - ensure => 'installed', - } + case $::osfamily { + /(Debian|RedHat)/: { + file { ['/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']: + ensure => directory, + owner => root, + group => root, + mode => '0755' + } - file { ['/etc', '/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']: - ensure => directory, - } - file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json': - mode => "0644", - source => 'puppet:///modules/install_mdatp/mdatp_onboard.json', + file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json': + source => 'puppet:///modules/mdatp/mdatp_onboard.json', + owner => root, + group => root, + mode => '0600', + require => File['/etc/opt/microsoft/mdatp'] + } + + package { 'mdatp': + ensure => 'installed', + require => File['/etc/opt/microsoft/mdatp/mdatp_onboard.json'] + } + } + default : { fail("${::osfamily} is currently not supported.") } } } ``` @@ -162,7 +190,7 @@ orgId : "[your organization identifier]" You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status: ```bash -$ mdatp --health healthy +mdatp --health healthy ``` The above command prints `1` if the product is onboarded and functioning as expected. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md index d34c004a38..308e1695b1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md @@ -54,7 +54,7 @@ OK https://cdn.x.cp.wd.microsoft.com/ping > [!WARNING] > PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used. > -> Intercepting proxies are also not supported for security reasons. Configure your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your proxy certificate to the global store will not allow for interception. +> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception. If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port: diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 80231ef03d..aa9058cedb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -1,6 +1,6 @@ --- title: Investigate entities on machines using live response in Microsoft Defender ATP -description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real-time. +description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real time. keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file, search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,29 +17,42 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Investigate entities on machines using live response +# Investigate entities on devices using live response **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time. +Live response is a capability that gives your security operations team instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats –- in real time. -Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. +Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUW] +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4qLUW] -With live response, analysts will have the ability to: -- Run basic and advanced commands to do investigative work +With live response, analysts can do all of the following tasks: +- Run basic and advanced commands to do investigative work on a device - Download files such as malware samples and outcomes of PowerShell scripts -- Upload a PowerShell script or executable to the library and run it on the machine from a tenant level +- Download files in the background (new!) +- Upload a PowerShell script or executable to the library and run it on a device from a tenant level - Take or undo remediation actions - ## Before you begin -Before you can initiate a session on a machine, make sure you fulfill the following requirements: -- Machines must be Windows 10, version 18323 (also known as Windows 10 19H1) or later. +Before you can initiate a session on a device, make sure you fulfill the following requirements: + +- **Verify that you're running a supported version of Windows 10**
+Devices must be running one of the following versions of Windows 10: + - [1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later + - [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) + - [1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) + - [1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) + - [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) + +- **Make sure to install appropriate security updates**
+ - 1903: [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384) + - 1809 (RS5): [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818) + - 1803 (RS4): [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795) + - 1709 (RS3): [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816) - **Enable live response from the settings page**
You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page. @@ -52,18 +65,18 @@ You'll need to enable the live response capability in the [Advanced features set >[!WARNING] >Allowing the use of unsigned scripts may increase your exposure to threats. - Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. + Running unsigned scripts is not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. - **Ensure that you have the appropriate permissions**
- Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md). + Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments, see [Create and manage roles](user-roles.md). > [!IMPORTANT] > The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions. - Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role. + Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permissions are controlled by RBAC custom role. ## Live response dashboard overview -When you initiate a live response session on a machine, a dashboard opens. The dashboard provides information about the session such as: +When you initiate a live response session on a device, a dashboard opens. The dashboard provides information about the session such as the following: - Who created the session - When the session started @@ -79,81 +92,109 @@ The dashboard also gives you access to: ## Initiate a live response session on a machine 1. Log in to Microsoft Defender Security Center. -2. Navigate to the machines list page and select a machine to investigate. The machine page opens. - >[!NOTE] - >Machines must be on Windows 10, version 18323 (also known as Windows 10 19H1) or later. +2. Navigate to the devices list page and select a machine to investigate. The machines page opens. -2. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the machine. -3. Use the built-in commands to do investigative work. For more information see, [Live response commands](#live-response-commands). -4. After completing your investigation, select **Disconnect session**, then select **Confirm**. +3. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the device. +4. Use the built-in commands to do investigative work. For more information, see [Live response commands](#live-response-commands). +5. After completing your investigation, select **Disconnect session**, then select **Confirm**. ## Live response commands -Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments see, [Create and manage roles](user-roles.md). + +Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments, see [Create and manage roles](user-roles.md). ### Basic commands -The following commands are available for user roles that's been granted the ability to run **basic** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). -Command | Description -:---|:---|:--- -cd | Changes the current directory. -cls | Clears the console screen. -connect | Initiates a live response session to the machine. -connections | Shows all the active connections. -dir | Shows a list of files and subdirectories in a directory -drivers | Shows all drivers installed on the machine. -fileinfo | Get information about a file. -findfile | Locates files by a given name on the machine. -help | Provides help information for live response commands. -persistence | Shows all known persistence methods on the machine. -processes | Shows all processes running on the machine. -registry | Shows registry values. -scheduledtasks| Shows all scheduled tasks on the machine. -services | Shows all services on the machine. -trace | Sets the terminal's logging mode to debug. +The following commands are available for user roles that are granted the ability to run **basic** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md). +| Command | Description | +|---|---|--- | +|`cd` | Changes the current directory. | +|`cls` | Clears the console screen. | +|`connect` | Initiates a live response session to the device. | +|`connections` | Shows all the active connections. | +|`dir` | Shows a list of files and subdirectories in a directory. | +|`download &` | Downloads a file in the background. | +drivers | Shows all drivers installed on the device. | +|`fg ` | Returns a file download to the foreground. | +|`fileinfo` | Get information about a file. | +|`findfile` | Locates files by a given name on the device. | +|`help` | Provides help information for live response commands. | +|`persistence` | Shows all known persistence methods on the device. | +|`processes` | Shows all processes running on the device. | +|`registry` | Shows registry values. | +|`scheduledtasks` | Shows all scheduled tasks on the device. | +|`services` | Shows all services on the device. | +|`trace` | Sets the terminal's logging mode to debug. | ### Advanced commands -The following commands are available for user roles that's been granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). +The following commands are available for user roles that are granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). -Command | Description -:---|:--- -analyze | Analyses the entity with various incrimination engines to reach a verdict. -getfile | Gets a file from the machine.
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command. -run | Runs a PowerShell script from the library on the machine. -library | Lists files that were uploaded to the live response library. -putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default. -remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command. -undo | Restores an entity that was remediated. +| Command | Description | +|---|---| +| `analyze` | Analyses the entity with various incrimination engines to reach a verdict. | +| `getfile` | Gets a file from the device.
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command. | +| `run` | Runs a PowerShell script from the library on the device. | +| `library` | Lists files that were uploaded to the live response library. | +| `putfile` | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. | +| `remediate` | Remediates an entity on the device. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command. +|`undo` | Restores an entity that was remediated. | ## Use live response commands + The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands#BKMK_c). -The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the machine, and take remediation actions on an entity. +The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the device, and take remediation actions on an entity. ### Get a file from the machine -For scenarios when you'd like get a file from a machine you're investigating, you can use the `getfile` command. This allows you to save the file from the machine for further investigation. + +For scenarios when you'd like get a file from a device you're investigating, you can use the `getfile` command. This allows you to save the file from the device for further investigation. >[!NOTE] >There is a file size limit of 750mb. +### Download a file in the background + +To enable your security operations team to continue investigating an impacted device, files can now be downloaded in the background. + +- To download a file in the background, in the live response command console, type `download &` +- If you are waiting for a file to be downloaded, you can move it to the background by using Ctrl + Z. +- To bring a file download to the foreground, in the live response command console, type `fg ` + +Here are some examples: + + +|Command |What it does | +|---------|---------| +|`"C:\windows\some_file.exe" &` |Starts downloading a file named *some_file.exe* in the background. | +|`fg 1234` |Returns a download with command ID *1234* to the foreground | + + ### Put a file in the library + Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level. Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them. -You can have a collection of PowerShell scripts that can run on machines that you initiate live response sessions with. +You can have a collection of PowerShell scripts that can run on devices that you initiate live response sessions with. + +#### To upload a file in the library -**To upload a file in the library:** 1. Click **Upload file to library**. + 2. Click **Browse** and select the file. + 3. Provide a brief description. + 4. Specify if you'd like to overwrite a file with the same name. + 5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description. + 6. Click **Confirm**. + 7. (Optional) To verify that the file was uploaded to the library, run the `library` command. @@ -163,9 +204,8 @@ Anytime during a session, you can cancel a command by pressing CTRL + C. >[!WARNING] >Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled. - - ### Automatically run prerequisite commands + Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an error. For example, running the `download` command without `fileinfo` will return an error. You can use the auto flag to automatically run prerequisite commands, for example: @@ -174,8 +214,8 @@ You can use the auto flag to automatically run prerequisite commands, for exampl getfile c:\Users\user\Desktop\work.txt -auto ``` - ## Run a PowerShell script + Before you can run a PowerShell script, you must first upload it to the library. After uploading the script to the library, use the `run` command to run the script. @@ -185,9 +225,8 @@ If you plan to use an unsigned script in the session, you'll need to enable the >[!WARNING] >Allowing the use of unsigned scripts may increase your exposure to threats. - - ## Apply command parameters + - View the console help to learn about command parameters. To learn about an individual command, run: `help ` @@ -204,9 +243,8 @@ If you plan to use an unsigned script in the session, you'll need to enable the ` -type file -id - auto` or `remediate file - auto`. - - ## Supported output types + Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands: - `-output json` @@ -215,8 +253,8 @@ Live response supports table and JSON format output types. For each command, the >[!NOTE] >Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown. - ## Supported output pipes + Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt. Example: @@ -225,27 +263,24 @@ Example: processes > output.txt ``` - - ## View the command log -Select the **Command log** tab to see the commands used on the machine during a session. + +Select the **Command log** tab to see the commands used on the device during a session. Each command is tracked with full details such as: - ID - Command line - Duration - Status and input or output side bar - - - ## Limitations + - Live response sessions are limited to 10 live response sessions at a time - Large scale command execution is not supported - A user can only initiate one session at a time -- A machine can only be in one session at a time -- There is a file size limit of 750mb when downloading files from a machine +- A device can only be in one session at a time +- There is a file size limit of 750mb when downloading files from a device -## Related topic +## Related article - [Live response command examples](live-response-command-examples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index 9a7563b95c..1daa3a12b2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -24,15 +24,29 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) This topic describes how to deploy Microsoft Defender ATP for Mac through Intune. A successful deployment requires the completion of all of the following steps: -- [Download installation and onboarding packages](#download-installation-and-onboarding-packages) -- [Client device setup](#client-device-setup) -- [Create System Configuration profiles](#create-system-configuration-profiles) -- [Publish application](#publish-application) + +1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages) +1. [Client device setup](#client-device-setup) +1. [Create System Configuration profiles](#create-system-configuration-profiles) +1. [Publish application](#publish-application) ## Prerequisites and system requirements Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. +## Overview + +The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender ATP for Macs, via Intune. More detailed steps are available below. + +| Step | Sample file names | BundleIdentifier | +|-|-|-| +| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp | +| [Approve Kernel Extension for Microsoft Defender ATP](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A | +| [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc | +| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 | +| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)

**Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav | +| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdavtray | + ## Download installation and onboarding packages Download the installation and onboarding packages from Microsoft Defender Security Center: @@ -86,23 +100,23 @@ Download the installation and onboarding packages from Microsoft Defender Securi ## Client device setup -You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp). +You do not need any special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp). -1. You are asked to confirm device management. +1. Confirm device management. - ![Confirm device management screenshot](../windows-defender-antivirus/images/MDATP-3-ConfirmDeviceMgmt.png) +![Confirm device management screenshot](../windows-defender-antivirus/images/MDATP-3-ConfirmDeviceMgmt.png) - Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: +Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: - ![Management profile screenshot](../windows-defender-antivirus/images/MDATP-4-ManagementProfile.png) +![Management profile screenshot](../windows-defender-antivirus/images/MDATP-4-ManagementProfile.png) 2. Select **Continue** and complete the enrollment. - You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. +You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. 3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed: - ![Add Devices screenshot](../windows-defender-antivirus/images/MDATP-5-allDevices.png) +![Add Devices screenshot](../windows-defender-antivirus/images/MDATP-5-allDevices.png) ## Create System Configuration profiles @@ -116,7 +130,7 @@ You need no special provisioning for a Mac device beyond a standard [Company Por 5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. 6. Repeat steps 1 through 5 for more profiles. 7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file. -8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it. +8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it. > [!CAUTION] > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device. @@ -187,7 +201,7 @@ You need no special provisioning for a Mac device beyond a standard [Company Por ``` -9. To whitelist Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload: +9. To whitelist Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload: ```xml @@ -284,9 +298,9 @@ You need no special provisioning for a Mac device beyond a standard [Company Por 10. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. - Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: +Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: - ![System configuration profiles screenshot](../windows-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png) +![System configuration profiles screenshot](../windows-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png) ## Publish application @@ -294,11 +308,13 @@ You need no special provisioning for a Mac device beyond a standard [Company Por 2. Select **App type=Other/Line-of-business app**. 3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. 4. Select **Configure** and add the required information. -5. Use **macOS High Sierra 10.13** as the minimum OS. +5. Use **macOS High Sierra 10.13** as the minimum OS. 6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value. > [!CAUTION] - > Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy. + > Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. + > + > If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy. ![Device status blade screenshot](../windows-defender-antivirus/images/MDATP-8-IntuneAppInfo.png) @@ -311,7 +327,7 @@ You need no special provisioning for a Mac device beyond a standard [Company Por ![Client apps screenshot](../windows-defender-antivirus/images/MDATP-10-ClientApps.png) 9. Change **Assignment type** to **Required**. -10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. +10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. ![Intune assignments info screenshot](../windows-defender-antivirus/images/MDATP-11-Assignments.png) @@ -341,7 +357,7 @@ Solution: Follow the steps above to create a device profile using WindowsDefende ## Logging installation issues -For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](mac-resources.md#logging-installation-issues) . +For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](mac-resources.md#logging-installation-issues). ## Uninstallation diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md index 94bb66756c..da29d3b4a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md @@ -15,6 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.date: 04/10/2020 --- # JAMF-based deployment for Microsoft Defender ATP for Mac @@ -24,11 +25,12 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps: -- [Download installation and onboarding packages](#download-installation-and-onboarding-packages) -- [Create JAMF policies](#create-jamf-policies) -- [Client device setup](#client-device-setup) -- [Deployment](#deployment) -- [Check onboarding status](#check-onboarding-status) + +1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages) +1. [Create JAMF policies](#create-jamf-policies) +1. [Client device setup](#client-device-setup) +1. [Deployment](#deployment) +1. [Check onboarding status](#check-onboarding-status) ## Prerequisites and system requirements @@ -36,6 +38,19 @@ Before you get started, please see [the main Microsoft Defender ATP for Mac page In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. +## Overview + +The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender ATP for Macs, via JAMF. More detailed steps are available below. + +| Step | Sample file names | BundleIdentifier | +|-|-|-| +| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp | +| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#property-list-for-jamf-configuration-profile-1)

**Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.plist | com.microsoft.wdav | +| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#notification-settings) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.wdavtray | +| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#jamf) | MDATP_Microsoft_AutoUpdate.mobileconfig | com.microsoft.autoupdate2 | +| [Grant Full Disk Access to Microsoft Defender ATP](#privacy-preferences-policy-control) | Note: If there was one, MDATP_tcc_Catalina_or_newer.plist | com.microsoft.wdav.tcc | +| [Approve Kernel Extension for Microsoft Defender ATP](#approved-kernel-extension) | Note: If there was one, MDATP_KExt.plist | N/A | + ## Download installation and onboarding packages Download the installation and onboarding packages from Microsoft Defender Security Center: @@ -43,16 +58,16 @@ Download the installation and onboarding packages from Microsoft Defender Securi 1. In Microsoft Defender Security Center, go to **Settings > Machine management > Onboarding**. 2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android**. 3. Set the deployment method to **Mobile Device Management / Microsoft Intune**. - - >[!NOTE] - >Jamf falls under **Mobile Device Management**. - + + > [!NOTE] + > Jamf falls under **Mobile Device Management**. + 4. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. 5. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. ![Microsoft Defender Security Center screenshot](../windows-defender-antivirus/images/jamf-onboarding.png) -5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so: +6. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so: ```bash $ ls -l @@ -73,17 +88,18 @@ You need to create a configuration profile and a policy to start deploying Micro ### Configuration Profile -The configuration profile contains a custom settings payload that includes: +The configuration profile contains a custom settings payload that includes the following: - Microsoft Defender ATP for Mac onboarding information -- Approved Kernel Extensions payload, to enable running the Microsoft kernel driver +- Approved Kernel Extensions payload to enable running the Microsoft kernel driver + +To set the onboarding information, add a property list file that is named **jamf/WindowsDefenderATPOnboarding.plist** as a custom setting. To do this, select **Computers** > **Configuration Profiles** > **New**, and then select **Application & Custom Settings** > **Configure**. From there, you can upload the property list. -To set the onboarding information, add a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_, as a custom setting. You can do this by navigating to **Computers**>**Configuration Profiles**, selecting **New**, then choosing **Custom Settings**>**Configure**. From there, you can upload the property list. >[!IMPORTANT] - > You must set the Preference Domain as "com.microsoft.wdav.atp" + > You have to set the **Preference Domain** to **com.microsoft.wdav.atp**. There are some changes to the Custom Payloads and also to the Jamf Pro user interface in version 10.18 and later versions. For more information about the changes, see [Configuration Profile Payload Settings Specific to Jamf Pro](https://www.jamf.com/jamf-nation/articles/217/configuration-profile-payload-settings-specific-to-jamf-pro). -![Configuration profile screenshot](../windows-defender-antivirus/images/MDATP-16-PreferenceDomain.png) +![Configuration profile screenshot](./images/msdefender-mac-config-profile.png) ### Approved Kernel Extension @@ -230,6 +246,7 @@ $ mdatp --health healthy The above command prints "1" if the product is onboarded and functioning as expected. If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem: + - 0 if the device is not yet onboarded - 3 if the connection to the daemon cannot be established—for example, if the daemon is not running diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md index 6c5a04ada0..19065efe0b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md @@ -310,17 +310,6 @@ Manage the preferences of the endpoint detection and response (EDR) component of | **Data type** | Dictionary (nested preference) | | **Comments** | See the following sections for a description of the dictionary contents. | -#### Enable / disable early preview - -Specify whether to enable EDR early preview features. - -||| -|:---|:---| -| **Domain** | `com.microsoft.wdav` | -| **Key** | earlyPreview | -| **Data type** | Boolean | -| **Possible values** | true (default)
false | - #### Device tags Specify a tag name and its value. diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index 14e534cd2c..b84dce1ebe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -85,6 +85,9 @@ If you experience any installation failures, refer to [Troubleshooting installat - Minimum kernel version 2.6.38 - The `fanotify` kernel option must be enabled + > [!CAUTION] + > Running Microsoft Defender ATP for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system. + - Disk space: 650 MB - The solution currently provides real-time protection for the following file system types: @@ -111,7 +114,7 @@ The following table lists the services and their associated URLs that your netwo | United States | unitedstates.x.cp.wd.microsoft.com
us-v20.events.data.microsoft.com
ussus1eastprod.blob.core.windows.net 
ussus1westprod.blob.core.windows.net | > [!NOTE] -> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server) +> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). Microsoft Defender ATP can discover a proxy server by using the following discovery methods: - Transparent proxy @@ -119,7 +122,12 @@ Microsoft Defender ATP can discover a proxy server by using the following discov If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md). -For troubleshooting steps, see the [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md) page. +> [!WARNING] +> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used. +> +> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception. + +For troubleshooting steps, see [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md). ## How to update Microsoft Defender ATP for Linux @@ -131,4 +139,4 @@ Guidance for how to configure the product in enterprise environments is availabl ## Resources -- For more information about logging, uninstalling, or other topics, see the [Resources](linux-resources.md) page. +- For more information about logging, uninstalling, or other topics, see [Resources](linux-resources.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index d5135bbd1c..a22b112426 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -79,11 +79,17 @@ The following table lists the services and their associated URLs that your netwo | United States | unitedstates.x.cp.wd.microsoft.com
us-v20.events.data.microsoft.com
ussus1eastprod.blob.core.windows.net 
ussus1westprod.blob.core.windows.net | Microsoft Defender ATP can discover a proxy server by using the following discovery methods: +- Proxy auto-config (PAC) - Web Proxy Auto-discovery Protocol (WPAD) - Manual static proxy configuration If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. +> [!WARNING] +> Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used. +> +> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Mac to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception. + To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser. If you prefer the command line, you can also check the connection by running the following command in Terminal: diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index eed0fc1ca1..baef5fe6ab 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -13,7 +13,7 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- @@ -24,12 +24,12 @@ ms.topic: conceptual There are some minimum requirements for onboarding machines to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink). ->[!TIP] ->- Learn about the latest enhancements in Microsoft Defender ATP:[Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced). ->- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). +> [!TIP] +> - Learn about the latest enhancements in Microsoft Defender ATP:[Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced). +> - Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). ## Licensing requirements Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: @@ -40,7 +40,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr - Microsoft 365 E5 Security - Microsoft 365 A5 (M365 A5) -For detailed licensing information, see the [Product terms page](https://www.microsoft.com/en-us/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product. +For detailed licensing information, see the [Product terms page](https://www.microsoft.com/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product. For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare). @@ -53,13 +53,14 @@ For more information about licensing requirements for Microsoft Defender ATP pla Access to Microsoft Defender ATP is done through a browser, supporting the following browsers: - Microsoft Edge - Internet Explorer version 11 -- Google Chrome +- Google Chrome ->[!NOTE] ->While other browsers might work, the mentioned browsers are the ones supported. +> [!NOTE] +> While other browsers might work, the mentioned browsers are the ones supported. ## Hardware and software requirements + ### Supported Windows versions - Windows 7 SP1 Enterprise - Windows 7 SP1 Pro @@ -67,6 +68,7 @@ Access to Microsoft Defender ATP is done through a browser, supporting the follo - Windows 8.1 Pro - Windows 10, version 1607 or later - Windows 10 Enterprise + - [Windows 10 Enterprise LTSC](https://docs.microsoft.com/windows/whats-new/ltsc/) - Windows 10 Education - Windows 10 Pro - Windows 10 Pro Education @@ -82,24 +84,25 @@ Machines on your network must be running one of these editions. The hardware requirements for Microsoft Defender ATP on machines is the same as those for the supported editions. > [!NOTE] -> Machines that are running mobile versions of Windows are not supported. +> Machines running mobile versions of Windows are not supported. ### Other supported operating systems -- macOSX -- Linux -- Android +- macOSX +- Linux (currently, Microsoft Defender ATP is only available in the Public Preview Edition for Linux) ->[!NOTE] ->You'll need to know the exact Linux distros, Android, and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. +> [!NOTE] +> You'll need to know the exact Linux distros, Android, and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. +> +> Also note that Microsoft Defender ATP is currently only available in the Public Preview Edition for Linux. ### Network and data storage and configuration requirements When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter. > [!NOTE] -> - You cannot change your data storage location after the first-time setup. -> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data. +> - You cannot change your data storage location after the first-time setup. +> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data. ### Diagnostic data settings @@ -131,12 +134,11 @@ By default, this service is enabled, but it's good practice to check to ensu If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start. - **Use the command line to set the Windows 10 diagnostic data service to automatically start:** 1. Open an elevated command-line prompt on the endpoint: - a. Go to **Start** and type **cmd**. + a. Go to **Start** and type **cmd**. b. Right-click **Command prompt** and select **Run as administrator**. @@ -153,22 +155,18 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the ``` - #### Internet connectivity Internet connectivity on machines is required either directly or through proxy. The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth. -For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md) . +For more information on additional proxy configuration settings, see [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md). Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10. - - - ## Windows Defender Antivirus configuration requirement -The Microsoft Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. +The Microsoft Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). @@ -177,7 +175,7 @@ When Windows Defender Antivirus is not the active antimalware in your organizati If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md). > [!NOTE] -> Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on. +> Your regular group policy doesn't apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). @@ -188,9 +186,6 @@ If you're running Windows Defender Antivirus as the primary antimalware product If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). - - - -## Related topic +## Related topics - [Validate licensing and complete setup](licensing.md) - [Onboard machines](onboard-configure.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md index 3b7f738894..3a1e55ca42 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md @@ -73,39 +73,39 @@ below to onboard systems with Configuration Manager. 1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-device-collections.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-device-collections.png) 2. Right Click **Device Collection** and select **Create Device Collection**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-create-device-collection.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-create-device-collection.png) 3. Provide a **Name** and **Limiting Collection**, then select **Next**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-limiting-collection.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-limiting-collection.png) 4. Select **Add Rule** and choose **Query Rule**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-query-rule.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-query-rule.png) 5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-direct-membership.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-direct-membership.png) 6. Select **Criteria** and then choose the star icon. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-criteria.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-criteria.png) 7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-simple-value.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-simple-value.png) 8. Select **Next** and **Close**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-membership-rules.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-membership-rules.png) 9. Select **Next**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-confirm.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-confirm.png) After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment. @@ -123,7 +123,7 @@ Manager and deploy that policy to Windows 10 devices. ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-onboarding-wizard.png) -3. Select **Download package**. +3. Select **Download package**. ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-download-package.png) @@ -132,11 +132,11 @@ Manager and deploy that policy to Windows 10 devices. 6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-create-policy.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-create-policy.png) 7. Enter the name and description, verify **Onboarding** is selected, then select **Next**. - ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-policy-name.png) + ![Image of Microsoft Endpoint Configuration Manager wizard](images/configmgr-policy-name.png) 8. Click **Browse**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md index ceb8637a40..db2e81192e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md @@ -22,25 +22,24 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - - >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches. +Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat activity or data breaches. You can use [Microsoft Defender Security Center](https://securitycenter.windows.com/) to: + - View, sort, and triage alerts from your endpoints - Search for more information on observed indicators such as files and IP Addresses -- Change Microsoft Defender ATP settings, including time zone and review licensing information. +- Change Microsoft Defender ATP settings, including time zone and review licensing information ## Microsoft Defender Security Center -When you open the portal, you’ll see the main areas of the application: - ![Microsoft Defender Advanced Threat Protection portal](images/dashboard.png) +When you open the portal, you'll see: -- (1) Navigation pane -- (2) Main portal -- (3) Search, Community center, Time settings, Help and support, Feedback +- (1) Navigation pane (select the horizontal lines at the top of the navigation pane to show or hide it) +- (2) Search, Community center, Localization, Help and support, Feedback + + ![Microsoft Defender Advanced Threat Protection portal](images/mdatp-portal-overview.png) > [!NOTE] > Malware related detections will only appear if your machines are using Windows Defender Antivirus as the default real-time protection antimalware product. @@ -49,27 +48,27 @@ You can navigate through the portal using the menu options available in all sect Area | Description :---|:--- -**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Machines list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Interoperability**, **Threat & vulnerability management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**. -**Dashboards** | Access the Security operations, the Secure Score, or Threat analytics dashboard. +**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Machines list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Partners & APIs**, **Threat & Vulnerability Management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**. Select the horizontal lines at the top of the navigation pane to show or hide it. +**Dashboards** | Access the active automated investigations, active alerts, automated investigations statistics, machines at risk, users at risk, machines with sensor issues, service health, detection sources, and daily machines reporting dashboards. **Incidents** | View alerts that have been aggregated as incidents. -**Machines list** | Displays the list of machines that are onboarded to Microsoft Defender ATP, some information about them, and the corresponding number of alerts. +**Machines list** | Displays the list of machines that are onboarded to Microsoft Defender ATP, some information about them, and their exposure and risk levels. **Alerts queue** | View alerts generated from machines in your organizations. -**Automated investigations** | Displays a list of automated investigations that's been conducted in the network, the status of each investigation and other details such as when the investigation started and the duration of the investigation. +**Automated investigations** | Displays automated investigations that have been conducted in the network, triggering alert, the status of each investigation and other details such as when the investigation started and the duration of the investigation. **Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool. -**Reports** | View graphs detailing alert trends over time, and alert summary charts categorizing threats by severity, status, and attack approach -**Interoperability** | Lists supported partner applications that can work together with Microsoft Defender, as well as applications that are already connected to Microsoft Defender. +**Reports** | View graphs detailing threat protection, machine health and compliance, web protection, and vulnerability. +**Partners & APIs** | View supported partner connections, which enhance the detection, investigation, and threat intelligence capabilities of the platform. You can also view connected applications, the API explorer, API usage overview, and data export settings. **Threat & Vulnerability management** | View your configuration score, exposure score, exposed machines, vulnerable software, and take action on top security recommendations. -**Evaluation and tutorials** | Manage test machines, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walkthrough in a trial environment. -**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. -**Configuration management** | Displays on-boarded machines, your organizations' security baseline, predictive analysis, and allows you to perform attack surface management on your machines. -**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Secure Score dashboard. -**(2) Main portal** | Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list. -**(3) Community center, Localization, Help and support, Feedback** | **Community center** -Access the Community center to learn, collaborate, and share experiences about the product.

**Time settings** - Gives you access to the configuration settings where you can set time zones and view license information.

**Help and support** - Gives you access to the Microsoft Defender ATP guide, Microsoft support, and Premier support.

**Feedback** - Access the feedback button to provide comments about the portal. +**Evaluation and tutorials** | Manage test machines, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walk-through in a trial environment. +**Service health** | Provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. +**Configuration management** | Displays on-boarded machines, your organizations' security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your machines. +**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as permissions, APIs, rules, machine management, IT service management, and network assessments. +**(2) Search, Community center, Localization, Help and support, Feedback** | **Search** - search by machine, file, user, URL, IP, vulnerability, software, and recommendation.

**Community center** - Access the Community center to learn, collaborate, and share experiences about the product.

**Localization** - Set time zones.

**Help and support** - Access the Microsoft Defender ATP guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Microsoft Defender ATP evaluation lab, consult a threat expert.

**Feedback** - Provide comments about what you like or what we can do better. > [!NOTE] > For devices with high resolution DPI scaling issues, please see [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices) for possible solutions. ## Microsoft Defender ATP icons + The following table provides information on the icons used all throughout the portal: Icon | Description @@ -105,22 +104,23 @@ Icon | Description ![Memory allocation icon](images/atp-memory-allocation-icon.png)| Memory allocation ![Process injection icon](images/atp-process-injection.png)| Process injection ![Powershell command run icon](images/atp-powershell-command-run-icon.png)| Powershell command run -![Community center icon](images/atp-community-center.png) | Community center +![Community center icon](images/atp-community-center.png) | Community center ![Notifications icon](images/atp-notifications.png) | Notifications ![No threats found](images/no-threats-found.png) | Automated investigation - no threats found ![Failed icon](images/failed.png) | Automated investigation - failed ![Partially remediated icon](images/partially-investigated.png) | Automated investigation - partially investigated -![Termindated by system](images/terminated-by-system.png) | Automated investigation - terminated by system +![Terminated by system](images/terminated-by-system.png) | Automated investigation - terminated by system ![Pending icon](images/pending.png) | Automated investigation - pending ![Running icon](images/running.png) | Automated investigation - running -![Remediated icon](images/remediated.png) | Automated investigation - remediated +![Remediated icon](images/remediated.png) | Automated investigation - remediated ![Partially investigated icon](images/partially_remediated.png) | Automated investigation - partially remediated ![Threat insights icon](images/tvm_bug_icon.png) | Threat & Vulnerability Management - threat insights -![Possible active alert icon](images/tvm_alert_icon.png) | Threat & Vulnerability Management - possible active alert +![Possible active alert icon](images/tvm_alert_icon.png) | Threat & Vulnerability Management - possible active alert ![Recommendation insights icon](images/tvm_insight_icon.png) | Threat & Vulnerability Management - recommendation insights ## Related topics -- [Understand the Microsoft Defender Advanced Threat Protection portal](use.md) + +- [Overview of Microsoft Defender Security Center](use.md) - [View the Security operations dashboard](security-operations-dashboard.md) - [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index c55fe2642d..e4676f46b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -46,8 +46,6 @@ Turn on the preview experience setting to be among the first to try upcoming fea The following features are included in the preview release: - [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md)
Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux. -- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list)
Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. - - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os)
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.

Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019. See [Secure Configuration Assessment (SCA) for Windows Server now in public preview](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/secure-configuration-assessment-sca-for-windows-server-now-in/ba-p/1243885) and [Reducing risk with new Threat & Vulnerability Management capabilities](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/reducing-risk-with-new-threat-amp-vulnerability-management/ba-p/978145) blogs for more information. - [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories. diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index e52e94be42..f2c30ec2e4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -175,7 +175,7 @@ Here is an example return value: ## Code examples ### Get access token -The following code example demonstrates how to obtain an access token and call the Microsoft Defender ATP API. +The following code examples demonstrate how to obtain an access token for calling the Microsoft Defender ATP SIEM API. ```csharp AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}", tenantId)); @@ -183,19 +183,114 @@ ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret AuthenticationResult authenticationResult = context.AcquireTokenAsync(detectionsResource, clientCredentials).GetAwaiter().GetResult(); ``` -### Use token to connect to the detections endpoint +```PowerShell +#Get current working directory +$scriptDir = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent +#Paste below your Tenant ID, App ID and App Secret (App key). +$tenantId = '' ### Paste your tenant ID here +$appId = '' ### Paste your Application ID here +$appSecret = '' ### Paste your Application secret here + +$resourceAppIdUri = 'https://graph.windows.net' +$oAuthUri = "https://login.windows.net/$tenantId/oauth2/token" +$authBody = [Ordered] @{ + resource = "$resourceAppIdUri" + client_id = "$appId" + client_secret = "$appSecret" + grant_type = 'client_credentials' +} + +#call API +$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop +$authResponse +Out-File -FilePath "$scriptDir\LatestSIEM-token.txt" -InputObject $authResponse.access_token ``` + +```Bash +tenantId='' ### Paste your tenant ID here +appId='' ### Paste your Application ID here +appSecret='' ### Paste your Application secret here +resourceAppIdUri='https://graph.windows.net' +oAuthUri="https://login.windows.net/$tenantId/oauth2/token" +scriptDir=$(pwd) + +apiResponse=$(curl -s X POST "$oAuthUri" -d "resource=$resourceAppIdUri&client_id=$appId&client_secret=$appSecret&\ + grant_type=client_credentials" | cut -d "{" -f2 | cut -d "}" -f1) +IFS="," +apiResponseArr=($apiResponse) +IFS=":" +tokenArr=(${apiResponseArr[6]}) +echo ${tokenArr[1]} | cut -d "\"" -f2 | cut -d "\"" -f1 >> $scriptDir/LatestSIEM-token.txt +``` + +### Use token to connect to the detections endpoint +The following code examples demonstrate how to use an access token for calling the Microsoft Defender ATP SIEM API to get alerts. + +```csharp HttpClient httpClient = new HttpClient(); httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authenticationResult.AccessTokenType, authenticationResult.AccessToken); HttpResponseMessage response = httpClient.GetAsync("https://wdatp-alertexporter-eu.windows.com/api/alert").GetAwaiter().GetResult(); string detectionsJson = response.Content.ReadAsStringAsync().Result; Console.WriteLine("Got detections list: {0}", detectionsJson); - ``` +```PowerShell +#Get current working directory +$scriptDir = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent +#run the script Get-Token.ps1 - make sure you are running this script from the same folder of Get-SIEMToken.ps1 +$token = Get-Content "$scriptDir\LatestSIEM-token.txt" +#Get Alert from the last xx hours 200 in this example. Make sure you have alerts in that time frame. +$dateTime = (Get-Date).ToUniversalTime().AddHours(-200).ToString("o") + +#test SIEM API +$url = 'https://wdatp-alertexporter-us.windows.com/api/alerts?limit=20&sinceTimeUtc=2020-01-01T00:00:00.000' + +#Set the WebRequest headers +$headers = @{ + 'Content-Type' = 'application/json' + Accept = 'application/json' + Authorization = "Bearer $token" +} + +#Send the webrequest and get the results. +$response = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -ErrorAction Stop +$response +Write-Host + +#Extract the alerts from the results. This works for SIEM API: +$alerts = $response.Content | ConvertFrom-Json | ConvertTo-Json + +#Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file +$dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."} + +#Save the result as json and as csv +$outputJsonPath = "$scriptDir\Latest Alerts $dateTimeForFileName.json" +$outputCsvPath = "$scriptDir\Latest Alerts $dateTimeForFileName.csv" + +Out-File -FilePath $outputJsonPath -InputObject $alerts +Get-Content -Path $outputJsonPath -Raw | ConvertFrom-Json | Select-Object -ExpandProperty value | Export-CSV $outputCsvPath -NoTypeInformation +``` + +```Bash +#Get current working directory +scriptDir=$(pwd) + +#get the token +token=$(<$scriptDir/LatestSIEM-token.txt) + +#test the SIEM API, get alerts since 1/1/2020 +url='https://wdatp-alertexporter-us.windows.com/api/alerts?limit=20&sinceTimeUtc=2020-01-01T00:00:00.000' + +#send web requst to API and echo JSON content +apiResponse=$(curl -s X GET "$url" -H "Content-Type: application/json" -H "Accept: application/json"\ + -H "Authorization: Bearer $token" | cut -d "[" -f2 | cut -d "]" -f1) +echo "If you see Alert info in JSON format, congratulations you accessed the MDATP SIEM API!" +echo +echo $apiResponse +``` ## Error codes The Microsoft Defender ATP REST API returns the following error codes caused by an invalid request. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 8464786570..d5491f5b3c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -29,8 +29,10 @@ ms.topic: article ## APIs -Threat and vulnerability management supports multiple APIs. See the following topics for related APIs: +Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615). +See the following topics for related APIs: +- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) - [Machine APIs](machine.md) - [Recommendation APIs](vulnerability.md) - [Score APIs](score.md) @@ -97,15 +99,16 @@ After you have identified which software and software versions are vulnerable du ## Related topics +- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) +- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) - [Advanced hunting overview](overview-hunting.md) - [All advanced hunting tables](advanced-hunting-reference.md) -- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index e4cd47a5a8..317cac63d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -13,7 +13,7 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: troubleshooting --- @@ -68,7 +68,7 @@ If the script fails and the event is an error, you can check the event ID in the Event ID | Error Type | Resolution steps :---|:---|:--- 5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. -10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
Verify that the script was ran as an administrator. +10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
Verify that the script has been run as an administrator. 15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).

If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again. 15 | Failed to start SENSE service | If the message of the error is: System error 577 or error 1058 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions. 30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). @@ -79,7 +79,7 @@ Event ID | Error Type | Resolution steps ### Troubleshoot onboarding issues using Microsoft Intune You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue. -If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. +If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. Use the following tables to understand the possible causes of issues while onboarding: @@ -87,7 +87,7 @@ Use the following tables to understand the possible causes of issues while onboa - Known issues with non-compliance table - Mobile Device Management (MDM) event logs table -If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt. +If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt. **Microsoft Intune error codes and OMA-URIs**: @@ -140,7 +140,7 @@ If the deployment tools used does not indicate an error in the onboarding proces 2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**. > [!NOTE] - > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP. + > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP. 3. Select **Operational** to load the log. @@ -282,28 +282,125 @@ You might also need to check the following: - Check **Event Viewer** > **Applications and Services Logs** > **Operation Manager** to see if there are any errors. -- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example, +- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example, ![Image of Services](images/atp-services.png) -- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running. +- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running. ![Image of Microsoft Monitoring Agent Properties](images/atp-mma-properties.png) -- Check to see that machines are reflected in the **Machines list** in the portal. +- Check to see that machines are reflected in the **Machines list** in the portal. + +## Confirming onboarding of newly built machines +There may be instances when onboarding is deployed on a newly built machine but not completed. + +The steps below provide guidance for the following scenario: +- Onboarding package is deployed to newly built machines +- Sensor does not start because the Out-of-box experience (OOBE) or first user logon has not been completed +- Machine is turned off or restarted before the end user performs a first logon +- In this scenario, the SENSE service will not start automatically even though onboarding package was deployed + +>[!NOTE] +>The following steps are only relevant when using Microsoft Endpoint Configuration Manager (current branch) -## Licensing requirements -Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: +1. Create an application in Microsoft Endpoint Configuration Manager current branch. -- Windows 10 Enterprise E5 -- Windows 10 Education E5 -- Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5 + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-1.png) -For more information, see [Windows 10 Licensing](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx#tab=2). +2. Select **Manually specify the application information**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-2.png) +3. Specify information about the application, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-3.png) + +4. Specify information about the software center, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-4.png) + +5. In **Deployment types** select **Add**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-5.png) + +6. Select **Manually specify the deployment type information**, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-6.png) + +7. Specify information about the deployment type, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-7.png) + +8. In **Content** > **Installation program** specify the command: `net start sense`. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-8.png) + +9. In **Detection method**, select **Configure rules to detect the presence of this deployment type**, then select **Add Clause**. + + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-9.png) + +10. Specify the following detection rule details, then select **OK**: + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-10.png) + +11. In **Detection method** select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-11.png) + +12. In **User Experience**, specify the following information, then select **Next**: + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-12.png) + +13. In **Requirements**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-13.png) + +14. In **Dependencies**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-14.png) + +15. In **Summary**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-15.png) + +16. In **Completion**, select **Close**. + + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-16.png) + +17. In **Deployment types**, select **Next**. + + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-17.png) + +18. In **Summary**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-18.png) + + The status is then displayed + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-19.png) + +19. In **Completion**, select **Close**. + + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-20.png) + +20. You can now deploy the application by right-clicking the app and selecting **Deploy**. + + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-21.png) + +21. In **General** select **Automatically distribute content for dependencies** and **Browse**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-22.png) + +22. In **Content** select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-23.png) + +23. In **Deployment settings**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-24.png) + +24. In **Scheduling** select **As soon as possible after the available time**, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-25.png) + +25. In **User experience**, select **Commit changes at deadline or during a maintenance window (requires restarts)**, then select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-26.png) + +26. In **Alerts** select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-27.png) + +27. In **Summary**, select **Next**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-28.png) + + The status is then displayed + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-29.png) + +28. In **Completion**, select **Close**. + ![Image of Microsoft Endpoint Configuration Manager configuration](images/mecm-30.png) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink) ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index e35d189282..05264dcf03 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -1,5 +1,5 @@ --- -title: Threat & Vulnerability Management dashboard overview +title: Threat & Vulnerability Management dashboard insights description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience. keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score search.appverid: met150 @@ -16,7 +16,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual --- -# Threat & Vulnerability Management dashboard overview +# Threat & Vulnerability Management dashboard insights **Applies to:** diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index 3078eee09f..0305625c65 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -51,20 +51,20 @@ You can remediate the issues based on prioritized [security recommendations](tvm To lower your threat and vulnerability exposure, follow these steps. -1. Review the **Top security recommendations** from your [**Threat & Vulnerability Management dashboard**](tvm-dashboard-insights.md) , and select the first item on the list. The **Security recommendation** page opens. +1. Review the **Top security recommendations** from your [**Threat & Vulnerability Management dashboard**](tvm-dashboard-insights.md) and select an item on the list. - Always prioritize recommendations that are associated with ongoing threats: + ![Example of Top security recommendations card, with four security recommendations.](images/top-security-recommendations350.png) - - ![Threat insight](images/tvm_bug_icon.png) Threat insight icon - - ![Possible active alert](images/tvm_alert_icon.png) Active alert icon + Always prioritize recommendations that are associated with ongoing threats: - ![Screenshot of security recommendations page](images/top-security-recommendations350.png) + - ![Red bug](images/tvm_bug_icon.png) Threat insight icon + - ![Arrow hitting a target](images/tvm_alert_icon.png) Active alert icon -2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel. ![Details in security recommendations page](images/tvm_security_recommendations_page.png) +2. The **Security recommendations** page will open, and a flyout for the recommendation you selected will open. The flyout panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Select **Open software page** option from the flyout panel. ![Example of security recommendations page with the flyout "Update Windows Server 2019" open.](images/tvm_security_recommendations_page.png) -3. Select **Installed machines** and then the affected machine from the list. A flyout panel will open with the relevant machine details, exposure and risk levels, alert and incident activities. ![Details in software page ](images/tvm_software_page_details.png) +3. Select **Installed machines** and then the affected machine from the list. A flyout panel will open with the relevant machine details, exposure and risk levels, alert and incident activities. ![Example of the software page for Git, and a flyout open for a selected machine.](images/tvm_software_page_details.png) -4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. ![Details in machine page](images/tvm_machine_page_details.png) +4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. ![Example of a machine page.](images/tvm_machine_page_details.png) 5. Allow a few hours for the changes to propagate in the system. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 7dfa480444..239b7afd31 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -32,48 +32,35 @@ Lower your organization's exposure from vulnerabilities and increase your securi ## Navigate to the Remediation page -You can access the remediation page though the navigation menu, and top remediation activities in the dashboard. +You can access the Remediation page a few different ways: + +- Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md) +- Top remediation activities card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) ### Navigation menu -Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. Select the remediation activity that you want to view. -![Screenshot of the remediation page flyout for a software which reached end-of-support](images/remediation_flyouteolsw.png) +Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. ### Top remediation activities in the dashboard View **Top remediation activities** in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task. +![Example of Top remediation activities card with a table that lists top activities that were generated from security recommendations.](images/tvm-remediation-activities-card.png) + ## Remediation activities When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune. +Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete. +![Example of the Remediation page, with a selected remediation activity, and that activity's flyout listing the description, IT service and device management tools, and machine remediation progress.](images/remediation_flyouteolsw.png) + ## Exceptions -You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [configuration score](configuration-score.md). - -[File for an exception](tvm-security-recommendation.md#file-for-exception) from the [Security recommendations page](tvm-security-recommendation.md). - -### Exception justification - -If the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The following list details the justifications behind the exception options: - -- **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus -- **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow -- **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive -- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization -- **Other** - False positive - -![Screenshot of exception reason dropdown menu](images/tvm-exception-dropdown.png) - -### Where to find exceptions +When you [file for an exception](tvm-security-recommendation.md#file-for-exception) from the [Security recommendations page](tvm-security-recommendation.md), you create an exception for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [configuration score](configuration-score.md). The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status. -![Screenshot of exception tab and filters](images/tvm-exception-filters.png) - -You can also select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. Selecting the link opens a filtered view in the **Security recommendations** page of recommendations with an "Exception" status. - -![Screenshot of Show exceptions link in the Top security recommendations card in the dashboard](images/tvm-exception-dashboard.png) +![Example of the exception page and filter options.](images/tvm-exception-filters.png) ### Exception actions and statuses @@ -98,7 +85,13 @@ Creating an exception can potentially affect the Exposure Score (for both types The exception impact shows on both the Security recommendations page column and in the flyout pane. -![Screenshot of where to find the exception impact](images/tvm-exception-impact.png) +![Screenshot identifying the impact sections which list score impacts in the full page security recommendations table, and the flyout.](images/tvm-exception-impact.png) + +### View exceptions in other places + +Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard to open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status. + +![Screenshot of Show exceptions link in the Top security recommendations card in the dashboard.](images/tvm-exception-dashboard.png) ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index 683aa6e7a0..c3e900103b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -23,7 +23,7 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > [!TIP] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -31,7 +31,7 @@ Cybersecurity weaknesses identified in your organization are mapped to actionabl Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment. -## Criteria +## How it works Each machine in the organization is scored based on three important factors to help customers to focus on the right things at the right time. @@ -41,9 +41,17 @@ Each machine in the organization is scored based on three important factors to h - **Business value** - Your organization's assets, critical processes, and intellectual properties -## Navigate to security recommendations +## Navigate to the Security recommendations page -You can access security recommendations from the Microsoft Defender ATP Threat & Vulnerability Management navigation menu, dashboard, software page, and machine page. +Access the Security recommendations page a few different ways: + +- Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md) +- Top security recommendations in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) + +View related security recommendations in the following places: + +- Software page +- Machine page ### Navigation menu @@ -53,7 +61,7 @@ Go to the Threat & Vulnerability Management navigation menu and select **Securit In a given day as a Security Administrator, you can take a look at the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [configuration score](configuration-score.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. -![Screenshot of security recommendations page](images/top-security-recommendations350.png) +![Example of Top security recommendations card, with four security recommendations.](images/top-security-recommendations350.png) The top security recommendations lists the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details about the recommendation. @@ -63,17 +71,17 @@ View recommendations, the number of weaknesses found, related components, threat The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the number of exposed machines, the color of the graph will change into green. -![Screenshot of security recommendations page](images/tvmsecrec-updated.png) +![Example of the landing page for security recommendations.](images/tvmsecrec-updated.png) ### Icons -Useful icons also quickly calls your attention to:

  • ![Possible active alert](images/tvm_alert_icon.png) possible active alerts
  • ![Threat insight](images/tvm_bug_icon.png) associated public exploits
  • ![Recommendation insight](images/tvm_insight_icon.png) recommendation insights

+Useful icons also quickly calls your attention to:
  • ![arrow hitting a target](images/tvm_alert_icon.png) possible active alerts
  • ![red bug](images/tvm_bug_icon.png) associated public exploits
  • ![light bulb](images/tvm_insight_icon.png) recommendation insights

### Investigate Select the security recommendation that you want to investigate or process. -![Screenshot of the security recommendation page flyout for a software which reached its end-of-life](images/secrec-flyouteolsw.png) +![Example of a security recommendation flyout page.](images/secrec-flyouteolsw.png) From the flyout, you can do any of the following: @@ -122,11 +130,17 @@ Exceptions can be created for both Security update and Configuration change reco When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list. 1. Select a security recommendation you would like create an exception for, and then **Exception options**. -![Screenshot of the exception option in the remediation flyout pane](images/tvm-exception-option.png) +![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-option.png) 2. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. -> ![Screenshot of exception flyout page which details justification and context](images/tvm-exception-flyout.png) + The following list details the justifications behind the exception options: + + - **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus + - **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow + - **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive + - **Planned remediation (grace)** - Already planned but is awaiting execution or authorization + - **Other** - False positive 3. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created. @@ -140,15 +154,12 @@ You can report a false positive when you see any vague, inaccurate, incomplete, 2. Select the three dots beside the security recommendation that you want to report, then select **Report inaccuracy**. -![Screenshot of Report inaccuracy control](images/report-inaccuracy500.png) +![Showing where the "Report inaccuracy" button is in a security recommendation flyout.](images/report-inaccuracy500.png) 3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. -![Screenshot of Report inaccuracy flyout pane](images/report-inaccuracy-flyout500.png) - 4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts. - ## Related topics - [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index c56539dc1b..2f1c8da158 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -27,51 +27,65 @@ ms.topic: conceptual Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it. -## Navigate through your software inventory - -1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact to exposure score, tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support. -![Screenshot of software inventory page](images/software_inventory_filter.png) - -2. In the **Software inventory** page, select the software that you want to investigate and a flyout panel opens up with the same details mentioned above but in a more compact view. You can either dive deeper into the investigation and select **Open software page** or flag any technical inconsistencies by selecting **Report inaccuracy**. - -3. Select **Open software page** to dive deeper into your software inventory to see how many weaknesses are discovered in the software, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified. - ## How it works -In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment. +In the field of discovery, we are leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender ATP endpoint detection and response capabilities](overview-endpoint-detection-response.md). Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available. +## Navigate to the Software inventory page + +You can access the Software inventory page by selecting **Software inventory** from the Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md). + +View software on specific machines in the individual machines pages from the [machines list](machines-view-overview.md). + +## Software inventory overview + +The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact to exposure score, and tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support. +![Example of the landing page for software inventory.](images/software_inventory_filter.png) + +Select the software that you want to investigate and a flyout panel opens up with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**. + +![Flyout example page of "Visual Studio 2017" from the software inventory page.](images/tvm-software-inventory-flyout500.png) + +## Software pages + +Once you are in the Software inventory page and have opened the flyout panel by selecting a software to investigate, select **Open software page** (see image in the previous section). A full page will appear with all the details of a specific software and the following information: + +- Side panel with vendor information, prevalence of the software in the organization (including number of machines it is installed on, and exposed machines that are not patched), whether and exploit is available, and impact to your exposure score +- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed machines +- Tabs with lists of the corresponding security recommendations for the weaknesses and vulnerabilities identified, the named CVEs of discovered vulnerabilities, the names of the machines that the software is installed on, and the specific versions of the software with the number of machines that have each version installed and number of vulnerabilities. + +![Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more.](images/tvm-software-page-example.png) + +## Software evidence + +We now show evidence of where we detected a specific software on a machine from the registry, disk or both machine on where we detected a certain software. +You can find it on any machines found in the [machines list](machines-view-overview.md) in a section called "Software Evidence." + +From the Microsoft Defender Security Center navigation panel, go to **Machines list** > select the name of a machine to open the machine page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence. + +![Software evidence example of Windows 10 from the machines list, showing software evidence registry path.](images/tvm-software-evidence.png) + ## Report inaccuracy -You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information in the machine page. - -1. Select one of the software rows. A flyout will appear. - -2. Select "Report inaccuracy" in the flyout - -![Screenshot of Report inaccuracy control](images/software-inventory-report-inaccuracy500.png) +You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information. +1. Open the software flyout on the Software inventory page. +2. Select **Report inaccuracy**. 3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. - -![Screenshot of Report inaccuracy flyout pane](images/report-inaccuracy-flyout500.png) - 4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts. ## Related topics +- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) -- [Security recommendation](tvm-security-recommendation.md) +- [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Recommendation APIs](vulnerability.md) -- [Machine APIs](machine.md) -- [Score APIs](score.md) -- [Software APIs](software.md) -- [Vulnerability APIs](vulnerability.md) +- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md index d7cad2e5aa..64933d374c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md @@ -34,14 +34,14 @@ Windows 7 | Operating System (OS) vulnerabilities Windows 8.1 | Not supported Windows 10 1607-1703 | Operating System (OS) vulnerabilities Windows 10 1709+ |Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment -Windows Server 2008R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment -Windows Server 2012R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment +Windows Server 2008 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment +Windows Server 2012 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment Windows Server 2016 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment Windows Server 2019 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment MacOS | Not supported (planned) Linux | Not supported (planned) -Some of the above prerequisites might be different from the [Minimum requirements for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements) list. +Some of the above prerequisites might be different from the [Minimum requirements for Microsoft Defender ATP](minimum-requirements.md) list. ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index 37bfee2589..4b7a5cb97e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -27,14 +27,7 @@ ms.topic: conceptual Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities. -The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights. - -You can access the list of vulnerabilities in a few places in the portal: - -- Global search -- Weaknesses option in the navigation menu -- Top vulnerable software widget in the dashboard -- Discovered vulnerabilities page in the machine page +The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, and threat insights. >[!IMPORTANT] >To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network: @@ -45,7 +38,27 @@ You can access the list of vulnerabilities in a few places in the portal: ## Navigate to the Weaknesses page -When new vulnerabilities are released, you can find out how many of your assets are exposed in the **Weaknesses** page of the Threat & Vulnerability Management navigation menu. If the **Exposed Machines** column shows 0, that means you are not at risk. If exposed machines exist, the next step is to remediate the vulnerabilities in those machines to reduce the risk to your assets and organization. +Access the Weaknesses page a few different ways: + +- Selecting **Weaknesses** from the Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md) +- Global search + +### Navigation menu + +Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open the list of CVEs. + +### Vulnerabilities in global search + +1. Go to the global search drop-down menu. +2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you are looking for. +![Global search box with the dropdown option "vulnerability" selected and an example CVE.](images/tvm-vuln-globalsearch.png) +3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates. + +To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search. + +## Weaknesses overview + +If the **Exposed Machines** column shows 0, that means you are not at risk. If exposed machines exist, the next step is to remediate the vulnerabilities in those machines to reduce the risk to your assets and organization. ![tvm-breach-insights](images/tvm-weaknesses-overview.png) @@ -54,89 +67,64 @@ When new vulnerabilities are released, you can find out how many of your assets You can view the related breach and threat insights in the **Threat** column when the icons are colored red. >[!NOTE] - > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon and breach insight ![possible active alert](images/tvm_alert_icon.png) icon. + > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon ![Simple drawing of a red bug.](images/tvm_bug_icon.png) and breach insight icon ![Simple drawing of an arrow hitting a target.](images/tvm_alert_icon.png). The breach insights icon is highlighted if there is a vulnerability found in your organization. -![tvm-breach-insights](images/tvm-breach-insights.png) +![Example of a breach insights text that could show up when hovering over icon. This one says "possible active alert is associated with this recommendation.](images/tvm-breach-insights.png) The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit or connected to specific advanced persistent campaigns or activity groups. Threat Analytics report links are provided that you can read with zero-day exploitation news, disclosures, or related security advisories. -![tvm-threat-insights](images/tvm-threat-insights.png) +![Threat insights text that that could show up when hovering over icon. This one has multiple bullet points and linked text.](images/tvm-threat-insights.png) +## View Common Vulnerabilities and Exposures (CVE) entries in other places - -## Vulnerabilities in global search - -1. Go to the global search drop-down menu. -2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you are looking for. -![tvm-vuln-globalsearch](images/tvm-vuln-globalsearch.png) -3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates. - -To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search. - -## Top vulnerable software in the dashboard +### Top vulnerable software in the dashboard 1. Go to the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time. -![top vulnerable software card](images/tvm-top-vulnerable-software500.png) +![Top vulnerable software card with four columns: software, weaknesses, threats, exposed machines.](images/tvm-top-vulnerable-software500.png) 2. Select the software that you want to investigate to go a drill down page. 3. Select the **Discovered vulnerabilities** tab. -4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates. +4. Select the vulnerability that you want to investigate. A flyout panel will appear with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates. -![Windows server drill down overview](images/windows-server-drilldown.png) +![Windows Server 2019 drill down overview.](images/windows-server-drilldown.png) -## Discover vulnerabilities in the machine page +### Discover vulnerabilities in the machine page -1. Go to the left-hand navigation menu bar, then select the machine icon. The **Machines list** page opens. -2. In the **Machines list** page, select the machine name that you want to investigate. +View related weaknesses information in the machine page. + +1. Go to the Microsoft Defender Security Center navigation menu bar, then select the machine icon. The **Machines list** page opens. +2. In the **Machines list** page, select the machine name that you want to investigate.
![Screenshot of machine list with selected machine to investigate](images/tvm_machinetoinvestigate.png)
-3. The machine page will open with details and response options for the machine you want to investigate. +3. The machine page will open with details and response options for the machine you want to investigate. 4. Select **Discovered vulnerabilities**.
![Screenshot of the machine page with details and response options](images/tvm-discovered-vulnerabilities.png)
5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic. -### CVE Detection logic +#### CVE Detection logic Similar to the software evidence, we now show the detection logic we applied on a machine in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the machine page) that shows the detection logic and source. -![Screenshot of the machine page with details and response options](images/cve-detection-logic.png) - +![Detection Logic example which lists the software detected on the device and the KBs.](images/cve-detection-logic.png) ## Report inaccuracy -You can report a false positive when you see any vague, inaccurate, missing, or already remediated vulnerability information in the machine page. +You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information. -1. Select the **Discovered vulnerabilities** tab. - -2. Click **:** beside the vulnerability that you want to report about, and then select **Report inaccuracy**. -![Screenshot of Report inaccuracy control from the machine page in the Discovered vulnerabilities tab](images/tvm_report_inaccuracy_vuln.png) -
A flyout pane opens.
-![Screenshot of Report inaccuracy flyout pane](images/tvm_report_inaccuracy_vulnflyout.png) - -3. From the flyout pane, select the inaccuracy category from the **Discovered vulnerability inaccuracy reason** drop-down menu. -
![Screenshot of discovered vulnerability inaccuracy reason drop-down menu](images/tvm_report_inaccuracy_vulnoptions.png)
- -4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported. - -5. Include your machine name for investigation context. - - > [!NOTE] - > You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context. - -6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context. +1. Open the CVE on the Weaknesses page. +2. Select **Report inaccuracy**. +3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. +4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts. ## Related topics + +- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) -- [Security recommendation](tvm-security-recommendation.md) +- [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) -- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine) -- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software) -- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) -- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score) +- [APIs](threat-and-vuln-mgt-scenarios.md#apis) +- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 689a9fe3d1..2d474782f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -30,6 +30,10 @@ For more information preview features, see [Preview features](https://docs.micro RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: `https://docs.microsoft.com/api/search/rss?search=%22Lists+the+new+features+and+functionality+in+Microsoft+Defender+ATP%22&locale=en-us` +## April 2020 + +- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list)
Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615). + ## November-December 2019 - [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md)
Microsoft Defender ATP for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including [endpoint detection and response](endpoint-detection-response-mac-preview.md). diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg b/windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg new file mode 100644 index 0000000000..428f96e9b5 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index 11045f435f..cdf47d7a4a 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -28,7 +28,7 @@ See [System requirements for Windows Defender Application Guard](https://docs.mi ## Prepare for Windows Defender Application Guard Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode. -**Standalone mode** +### Standalone mode Applies to: - Windows 10 Enterprise edition, version 1709 or higher @@ -36,7 +36,7 @@ Applies to: Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-wd-app-guard.md) testing scenario. -**Enterprise-managed mode** +## Enterprise-managed mode Applies to: - Windows 10 Enterprise edition, version 1709 or higher @@ -47,9 +47,11 @@ The following diagram shows the flow between the host PC and the isolated contai ![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png) ## Install Application Guard -Application Guard functionality is turned off by default. However, you can quickly install it on your employee’s devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution. -**To install by using the Control Panel** +Application Guard functionality is turned off by default. However, you can quickly install it on your employee's devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution. + +### To install by using the Control Panel + 1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**. ![Windows Features, turning on Windows Defender Application Guard](images/turn-windows-features-on.png) @@ -58,12 +60,11 @@ Application Guard functionality is turned off by default. However, you can quick Application Guard and its underlying dependencies are all installed. -**To install by using PowerShell** +### To install by using PowerShell >[!NOTE] >Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only. - 1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**. 2. Right-click **Windows PowerShell**, and then click **Run as administrator**. @@ -79,3 +80,46 @@ Application Guard functionality is turned off by default. However, you can quick Application Guard and its underlying dependencies are all installed. +### To install by using Intune + +> [!IMPORTANT] +> Make sure your organization's devices meet [requirements](reqs-wd-app-guard.md) and are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment). + +:::image type="complex" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Endpoint protection profile"::: + +:::image-end::: + +1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. + +2. Choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following:
+ + a. In the **Platform** list, select **Windows 10 and later**. + + b. In the **Profile** list, select **Endpoint protection**. + + c. Choose **Create**. + +4. Specify the following settings for the profile: + + - **Name** and **Description** + + - In the **Select a category to configure settings** section, choose **Microsoft Defender Application Guard**. + + - In the **Application Guard** list, choose **Enabled for Edge**. + + - Choose your preferences for **Clipboard behavior**, **External content**, and the remaining settings. + +5. Choose **OK**, and then choose **OK** again. + +6. Review your settings, and then choose **Create**. + +7. Choose **Assignments**, and then do the following: + + a. On the **Include** tab, in the **Assign to** list, choose an option. + + b. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the **Exclude** tab. + + c. Click **Save**. + +After the profile is created, any devices to which the policy should apply will have Windows Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. + diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index 6f9c6ff4ff..a5eebdf2a2 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -8,7 +8,6 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 03/15/2019 ms.reviewer: manager: dansimp ms.custom: asr @@ -28,9 +27,9 @@ We've come up with a list of scenarios that you can use to test hardware-based i You can see how an employee would use standalone mode with Application Guard. -**To test Application Guard in Standalone mode** +### To test Application Guard in Standalone mode -1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). +1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). 2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu. @@ -84,11 +83,11 @@ Before you can use Application Guard in enterprise mode, you must install Window 6. Start Microsoft Edge and type www.microsoft.com. - After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard. + After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard. ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png) -7. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists. +7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists. After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment. @@ -109,7 +108,7 @@ Application Guard provides the following default behavior for your employees: You have the option to change each of these settings to work with your enterprise from within Group Policy. **Applies to:** -- Windows 10 Enterpise edition, version 1709 or higher +- Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 #### Copy and paste options @@ -169,10 +168,10 @@ You have the option to change each of these settings to work with your enterpris The previously added site should still appear in your **Favorites** list. >[!NOTE] - >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. + >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. **Applies to:** -- Windows 10 Enterpise edition, version 1803 +- Windows 10 Enterprise edition, version 1803 - Windows 10 Professional edition, version 1803 #### Download options @@ -202,7 +201,7 @@ You have the option to change each of these settings to work with your enterpris 4. Assess the visual experience and battery performance. **Applies to:** -- Windows 10 Enterpise edition, version 1809 +- Windows 10 Enterprise edition, version 1809 - Windows 10 Professional edition, version 1809 #### File trust options diff --git a/windows/security/threat-protection/windows-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png b/windows/security/threat-protection/windows-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png new file mode 100644 index 0000000000..daa96d291d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png differ diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md index 0dabbdb3b1..150df52cc5 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md @@ -40,7 +40,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control Windows 10, version 1703 -This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

Important: Using a trustworthy browser helps ensure that these protections work as expected. +This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

Important: Using a trustworthy browser helps ensure that these protections work as expected.

Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index b9d400165d..176974ae38 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -21,12 +21,13 @@ manager: dansimp - Windows 10 - Windows 10 Mobile +- Microsoft Edge -Windows Defender SmartScreen protects against phishing or malware websites, and the downloading of potentially malicious files. +Windows Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. **Windows Defender SmartScreen determines whether a site is potentially malicious by:** -- Analyzing visited webpages looking for indications of suspicious behavior. If Windows Defender Smartscreen determines that a page is suspicious, it will show a warning page to advise caution. +- Analyzing visited webpages looking for indications of suspicious behavior. If Windows Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution. - Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might be malicious. @@ -36,16 +37,13 @@ Windows Defender SmartScreen protects against phishing or malware websites, and - Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Windows Defender SmartScreen shows a warning, advising caution. - >[!NOTE] - >Before Windows 10, version 1703, this feature was called _the SmartScreen filter_ when used within the browser and _Windows SmartScreen_ when used outside of the browser. - ## Benefits of Windows Defender SmartScreen Windows Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: -- **Anti-phishing and anti-malware support.** Windows Defender SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Windows Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) +- **Anti-phishing and anti-malware support.** Windows Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Windows Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) -- **Reputation-based URL and app protection.** Windows Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, your employees won't see any warnings. If however there's no reputation, the item is marked as a higher risk and presents a warning to the employee. +- **Reputation-based URL and app protection.** Windows Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user. - **Operating system integration.** Windows Defender SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run. @@ -53,14 +51,14 @@ Windows Defender SmartScreen provide an early warning system against websites th - **Management through Group Policy and Microsoft Intune.** Windows Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md). -- **Blocking URLs associated with potentially unwanted applications.** In the next major version of Microsoft Edge (based on Chromium), SmartScreen will blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). +- **Blocking URLs associated with potentially unwanted applications.** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). > [!IMPORTANT] > SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares. ## Viewing Windows Defender SmartScreen anti-phishing events -When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). +When Windows Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). ## Viewing Windows event logs for Windows Defender SmartScreen Windows Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer. @@ -82,8 +80,5 @@ EventID | Description 1002 | User Decision Windows Defender SmartScreen Event ## Related topics -- [Windows Defender SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) - -- [SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) - [Threat protection](../index.md) - [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md index bdbd3df95e..1bdb879cd4 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md @@ -19,60 +19,65 @@ ms.author: macapara **Applies to:** - Windows 10, version 1703 - Windows 10 Mobile +- Microsoft Edge -Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. +Windows Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files. -## How employees can use Windows Security to set up Windows Defender SmartScreen -Starting with Windows 10, version 1703 your employees can use Windows Security to set up Windows Defender SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it. +## How users can use Windows Security to set up Windows Defender SmartScreen +Starting with Windows 10, version 1703, users can use Windows Security to set up Windows Defender SmartScreen for an individual device; unless and administrator has used Group Policy or Microsoft Intune to prevent it. >[!NOTE] >If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee. **To use Windows Security to set up Windows Defender SmartScreen on a device** -1. Open the Windows Security app, and then click **App & browser control**. +1. Open the Windows Security app, and then select **App & browser control** > **Reputation-based protection settings**. -2. In the **App & browser control** screen, choose from the following options: +2. In the **Reputation-based protection** screen, choose from the following options: - In the **Check apps and files** area: - - - **Block.** Stops employees from downloading and running unrecognized apps and files from the web. - - **Warn.** Warns employees that the apps and files being downloaded from the web are potentially dangerous, but allows the action to continue. + - **On.** Warns users that the apps and files being downloaded from the web are potentially dangerous but allows the action to continue. - - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. - In the **Windows Defender SmartScreen for Microsoft Edge** area: - - - **Block.** Stops employees from downloading and running unrecognized apps and files from the web, while using Microsoft Edge. - - **Warn.** Warns employees that sites and downloads are potentially dangerous, but allows the action to continue while running in Microsoft Edge. + - **On.** Warns users that sites and downloads are potentially dangerous but allows the action to continue while running in Microsoft Edge. - - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. + - In the **Potentially unwanted app blocking** area: + + - **On.** Turns on both the 'Block apps' and 'Block downloads settings. To learn more, see [How Microsoft identifies malware and potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/intelligence/criteria#potentially-unwanted-application-pua). + - **Block apps.** This setting will prevent new apps from installing on the device and warn users of apps that are existing on the device. + + - **Block downloads.** This setting will alert users and stop the downloads of apps in the Microsoft Edge browser (based on Chromium). + + - **Off.** Turns off Potentially unwanted app blocking, so a user isn't alerted or stopped from downloading or installing potentially unwanted apps. - In the **Windows Defender SmartScreen from Microsoft Store apps** area: - - **Warn.** Warns employees that the sites and downloads used by Microsoft Store apps are potentially dangerous, but allows the action to continue. + - **On.** Warns users that the sites and downloads used by Microsoft Store apps are potentially dangerous but allows the action to continue. - - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. + - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. - ![Windows Security, Windows Defender SmartScreen controls](images/windows-defender-smartscreen-control.png) + ![Windows Security, Windows Defender SmartScreen controls](images/windows-defender-smartscreen-control-2020.png) -## How Windows Defender SmartScreen works when an employee tries to run an app -Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Windows Defender SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization. +## How Windows Defender SmartScreen works when a user tries to run an app +Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Windows Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization. -By default, your employees can bypass Windows Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended). +By default, users can bypass Windows Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block your employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended). -## How employees can report websites as safe or unsafe -You can configure Windows Defender SmartScreen to warn employees from going to a potentially dangerous site. Employees can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. +## How users can report websites as safe or unsafe +Windows Defender SmartScreen can be configured to warn users from going to a potentially dangerous site. Users can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. **To report a website as safe from the warning message** - On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions. **To report a website as unsafe from Microsoft Edge** -- If a site seems potentially dangerous, employees can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**. +- If a site seems potentially dangerous, users can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**. **To report a website as unsafe from Internet Explorer 11** -- If a site seems potentially dangerous, employees can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**. +- If a site seems potentially dangerous, users can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**. ## Related topics - [Threat protection](../index.md) diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index f46696402c..c141b00025 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -59,9 +59,6 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** > ![Secure Launch Registry](images/secure-launch-registry.png) -> [!IMPORTANT] -> If System Guard is enabled with a registry key, standard hardware security is not available for the Intel i5 7200U processor. - ## How to verify System Guard Secure Launch is configured and running To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.