deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 14:23:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into whfb-policy-changes

Browse Source
This commit is contained in:
mapalko
2020-04-14 16:25:57 -07:00
parent 6ebf0737e3 f955be1f30
commit 3ca79347dd
287 changed files with 2441 additions and 1302 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
windows/security/identity-protection/TOC.md
View File

@ -71,4 +71,5 @@
### [VPN security features](vpn\vpn-security-features.md)
### [VPN profile options](vpn\vpn-profile-options.md)
### [How to configure Diffie Hellman protocol over IKEv2 VPN connections](vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md)
### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)
### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)
### [Optimizing Office 365 traffic with the Windows 10 VPN client](vpn\vpn-office-365-optimization.md)

2
windows/security/identity-protection/hello-for-business/hello-planning-guide.md
View File

@ -329,7 +329,7 @@ If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, wri
If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **6a** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments do not use the cloud directory.
Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies do.
Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies, such as [MDM automatic enrollment](https://docs.microsoft.com/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) do.
If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet.

676
windows/security/identity-protection/vpn/vpn-office-365-optimization.md Normal file
View File

@ -0,0 +1,676 @@
---
title: Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client
description: tbd
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
audience: ITPro
ms.topic: article
author: kelleyvice-msft
ms.localizationpriority: medium
ms.date: 04/07/2020
ms.reviewer:
manager: dansimp
ms.author: jajo
---
# Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client
This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling.
This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions *even when using force tunneling* in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users.
> [!NOTE]
> The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration).
## Solution Overview
The solution is based upon the use of a VPN Configuration Service Provider Reference profile ([VPNv2 CSP](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp)) and the embedded [ProfileXML](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-profile-xsd). These are used to configure the VPN profile on the device. Various provisioning approaches can be used to create and deploy the VPN profile as discussed in the article [Step 6. Configure Windows 10 client Always On VPN connections](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files).
Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune).
To enable the use of force tunneling in Windows 10 VPN, the `<RoutingPolicyType>` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `<NativeProfile></NativeProfile>` section:
```xml
<RoutingPolicyType>ForceTunnel</RoutingPolicyType>
```
In order to define specific force tunnel exclusions, you then need to add the following lines to your existing Profile XML (or script) for each required exclusion, and place them outside of the `<NativeProfile></NativeProfile>` section as follows:
```xml
<Route>
<Address>[IP addresses or subnet]</Address>
<PrefixSize>[IP Prefix]</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
```
Entries defined by the `[IP Addresses or Subnet]` and `[IP Prefix]` references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate `<Route></Route>` section for each required exclusion.
An example of a correctly formatted Profile XML configuration for force tunnel with exclusions is shown below:
```xml
<VPNProfile>
<NativeProfile>
<RoutingPolicyType>ForceTunnel</RoutingPolicyType>
</NativeProfile>
<Route>
<Address>203.0.113.0</Address>
<PrefixSize>24</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>198.51.100.0</Address>
<PrefixSize>22</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
</VPNProfile>
```
> [!NOTE]
> The IP addresses and prefix size values in this example are used purely as examples only and should not be used.
## Solution Deployment
For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunneling.
This can be achieved manually by adding the IP addresses defined within the *optimize* category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used.
An example of a PowerShell script that can be used to update a force tunnel VPN connection with Office 365 exclusions is provided below.
```powershell
# Copyright (c) Microsoft Corporation. All rights reserved.
#
# THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
# WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
# IF THIS CODE AND INFORMATION IS MODIFIED, THE ENTIRE RISK OF USE OR RESULTS IN
# CONNECTION WITH THE USE OF THIS CODE AND INFORMATION REMAINS WITH THE USER.
<#
.SYNOPSIS
Applies or updates recommended Office 365 optimize IP address exclusions to an existing force tunnel Windows 10 VPN profile
.DESCRIPTION
Connects to the Office 365 worldwide commercial service instance endpoints to obtain the latest published IP address ranges
Compares the optimized IP addresses with those contained in the supplied VPN Profile (PowerShell or XML file)
Adds or updates IP addresses as necessary and saves the resultant file with "-NEW" appended to the file name
.PARAMETERS
Filename and path for a supplied Windows 10 VPN profile file in either PowerShell or XML format
.NOTES
Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later
.VERSION
1.0
#>
param (
[string]$VPNprofilefile
)
$usage=@"
This script uses the following parameters:
VPNprofilefile - The full path and name of the VPN profile PowerShell script or XML file
EXAMPLES
To check a VPN profile PowerShell script file:
Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF POWERSHELL SCRIPT FILE]
To check a VPN profile XML file:
Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF XML FILE]
"@
# Check if filename has been provided #
if ($VPNprofilefile -eq "")
{
Write-Host "`nWARNING: You must specify either a PowerShell script or XML filename!" -ForegroundColor Red
$usage
exit
}
$FileExtension = [System.IO.Path]::GetExtension($VPNprofilefile)
# Check if XML file exists and is a valid XML file #
if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
{
if ( Test-Path $VPNprofilefile )
{
$xml = New-Object System.Xml.XmlDocument
try
{
$xml.Load((Get-ChildItem -Path $VPNprofilefile).FullName)
}
catch [System.Xml.XmlException]
{
Write-Verbose "$VPNprofilefile : $($_.toString())"
Write-Host "`nWARNING: The VPN profile XML file is not a valid xml file or incorrectly formatted!" -ForegroundColor Red
$usage
exit
}
}else
{
Write-Host "`nWARNING: VPN profile XML file does not exist or cannot be found!" -ForegroundColor Red
$usage
exit
}
}
# Check if VPN profile PowerShell script file exists and contains a VPNPROFILE XML section #
if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".ps1")
{
if ( (Test-Path $VPNprofilefile) )
{
if (-Not $(Select-String -Path $VPNprofilefile -Pattern "<VPNPROFILE>") )
{
Write-Host "`nWARNING: PowerShell script file does not contain a valid VPN profile XML section or is incorrectly formatted!" -ForegroundColor Red
$usage
exit
}
}else
{
Write-Host "`nWARNING: PowerShell script file does not exist or cannot be found!"-ForegroundColor Red
$usage
exit
}
}
# Define Office 365 endpoints and service URLs #
$ws = "https://endpoints.office.com"
$baseServiceUrl = "https://endpoints.office.com"
# Path where client ID and latest version number will be stored #
$datapath = $Env:TEMP + "\endpoints_clientid_latestversion.txt"
# Fetch client ID and version if data file exists; otherwise create new file #
if (Test-Path $datapath)
{
$content = Get-Content $datapath
$clientRequestId = $content[0]
$lastVersion = $content[1]
}else
{
$clientRequestId = [GUID]::NewGuid().Guid
$lastVersion = "0000000000"
@($clientRequestId, $lastVersion) | Out-File $datapath
}
# Call version method to check the latest version, and pull new data if version number is different #
$version = Invoke-RestMethod -Uri ($ws + "/version?clientRequestId=" + $clientRequestId)
if ($version[0].latest -gt $lastVersion)
{
Write-Host
Write-Host "A new version of Office 365 worldwide commercial service instance endpoints has been detected!" -ForegroundColor Cyan
# Write the new version number to the data file #
@($clientRequestId, $version[0].latest) | Out-File $datapath
}
# Invoke endpoints method to get the new data #
$uri = "$baseServiceUrl" + "/endpoints/worldwide?clientRequestId=$clientRequestId"
# Invoke endpoints method to get the data for the VPN profile comparison #
$endpointSets = Invoke-RestMethod -Uri ($uri)
$Optimize = $endpointSets | Where-Object { $_.category -eq "Optimize" }
$optimizeIpsv4 = $Optimize.ips | Where-Object { ($_).contains(".") } | Sort-Object -Unique
# Temporarily include additional IP address until Teams client update is released
$optimizeIpsv4 += "13.107.60.1/32"
# Process PowerShell script file start #
if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1")
{
Write-host "`nStarting PowerShell script exclusion route check...`n" -ForegroundColor Cyan
# Clear Variables to allow re-run testing #
$ARRVPN=$null # Array to hold VPN addresses from VPN profile PowerShell file #
$In_Opt_Only=$null # Variable to hold IP addresses that only appear in the optimize list #
$In_VPN_Only=$null # Variable to hold IP addresses that only appear in the VPN profile PowerShell file #
# Extract the Profile XML from the ps1 file #
$regex = '(?sm).*^*.<VPNPROFILE>\r?\n(.*?)\r?\n</VPNProfile>.*'
# Create xml format variable to compare with the optimize list #
$xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1'
[xml]$VPNprofilexml="<VPNPROFILE>"+$xmlbody+"</VPNPROFILE>"
# Loop through each address found in VPNPROFILE XML section #
foreach ($Route in $VPNprofilexml.VPNProfile.Route)
{
$VPNIP=$Route.Address+"/"+$Route.PrefixSize
[array]$ARRVPN=$ARRVPN+$VPNIP
}
# In optimize address list only #
$In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_}
# In VPN list only #
$In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_}
[array]$Inpfile = get-content $VPNprofilefile
if ($In_Opt_Only.Count -gt 0 )
{
Write-Host "Exclusion route IP addresses are unknown, missing, or need to be updated in the VPN profile`n" -ForegroundColor Red
[int32]$insline=0
for ($i=0; $i -lt $Inpfile.count; $i++)
{
if ($Inpfile[$i] -match "</NativeProfile>")
{
$insline += $i # Record the position of the line after the NativeProfile section ends #
}
}
$OFS = "`r`n"
foreach ($NewIP in $In_Opt_Only)
{
# Add the missing IP address(es) #
$IPInfo=$NewIP.Split("/")
$InpFile[$insline] += $OFS+" <Route>"
$InpFile[$insline] += $OFS+" <Address>"+$IPInfo[0].Trim()+"</Address>"
$InpFile[$insline] += $OFS+" <PrefixSize>"+$IPInfo[1].Trim()+"</PrefixSize>"
$InpFile[$insline] += $OFS+" <ExclusionRoute>true</ExclusionRoute>"
$InpFile[$insline] += $OFS+" </Route>"
}
# Update fileName and write new PowerShell file #
$NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.ps1"
$OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName
$InpFile | Set-Content $OutFile
Write-Host "Exclusion routes have been added to VPN profile and output to a separate PowerShell script file; the original file has not been modified`n" -ForegroundColor Green
}else
{
Write-Host "Exclusion route IP addresses are correct and up to date in the VPN profile`n" -ForegroundColor Green
$OutFile=$VPNprofilefile
}
if ( $In_VPN_Only.Count -gt 0 )
{
Write-Host "Unknown exclusion route IP addresses have been found in the VPN profile`n" -ForegroundColor Yellow
foreach ($OldIP in $In_VPN_Only)
{
[array]$Inpfile = get-content $Outfile
$IPInfo=$OldIP.Split("/")
Write-Host "Unknown exclusion route IP address"$IPInfo[0]"has been found in the VPN profile - Do you wish to remove it? (Y/N)`n" -ForegroundColor Yellow
$matchstr="<Address>"+$IPInfo[0].Trim()+"</Address>"
$DelAns=Read-host
if ($DelAns.ToUpper() -eq "Y")
{
[int32]$insline=0
for ($i=0; $i -lt $Inpfile.count; $i++)
{
if ($Inpfile[$i] -match $matchstr)
{
$insline += $i # Record the position of the line for the string match #
}
}
# Remove entries from XML #
$InpFile[$insline-1]="REMOVETHISLINE"
$InpFile[$insline]="REMOVETHISLINE"
$InpFile[$insline+1]="REMOVETHISLINE"
$InpFile[$insline+2]="REMOVETHISLINE"
$InpFile[$insline+3]="REMOVETHISLINE"
$InpFile=$InpFile | Where-Object {$_ -ne "REMOVETHISLINE"}
# Update filename and write new PowerShell file #
$NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml"
$OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName
$Inpfile | Set-content $OutFile
Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate PowerShell script file; the original file has not been modified`n" -ForegroundColor Green
}else
{
Write-Host "`nExclusion route IP address has *NOT* been removed from the VPN profile`n" -ForegroundColor Green
}
}
}
}
# Process XML file start #
if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
{
Write-host "`nStarting XML file exclusion route check...`n" -ForegroundColor Cyan
# Clear variables to allow re-run testing #
$ARRVPN=$null # Array to hold VPN addresses from the XML file #
$In_Opt_Only=$null # Variable to hold IP Addresses that only appear in optimize list #
$In_VPN_Only=$null # Variable to hold IP Addresses that only appear in the VPN profile XML file #
# Extract the Profile XML from the XML file #
$regex = '(?sm).*^*.<VPNPROFILE>\r?\n(.*?)\r?\n</VPNProfile>.*'
# Create xml format variable to compare with optimize list #
$xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1'
[xml]$VPNRulesxml="$xmlbody"
# Loop through each address found in VPNPROFILE file #
foreach ($Route in $VPNRulesxml.VPNProfile.Route)
{
$VPNIP=$Route.Address+"/"+$Route.PrefixSize
[array]$ARRVPN=$ARRVPN+$VPNIP
}
# In optimize address list only #
$In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_}
# In VPN list only #
$In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_}
[array]$Inpfile = get-content $VPNprofilefile
if ($In_Opt_Only.Count -gt 0 )
{
Write-Host "Exclusion route IP addresses are unknown, missing, or need to be updated in the VPN profile`n" -ForegroundColor Red
foreach ($NewIP in $In_Opt_Only)
{
# Add the missing IP address(es) #
$IPInfo=$NewIP.Split("/")
$inspoint = $Inpfile[0].IndexOf("</VPNProfile")
$routes += "<Route>"+"<Address>"+$IPInfo[0].Trim()+"</Address>"+"<PrefixSize>"+$IPInfo[1].Trim()+"</PrefixSize>"+"<ExclusionRoute>true</ExclusionRoute>"+"</Route>"
}
$Inpfile = $Inpfile[0].Insert($inspoint,$routes)
# Update filename and write new XML file #
$NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml"
$OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName
$InpFile | Set-Content $OutFile
Write-Host "Exclusion routes have been added to VPN profile and output to a separate XML file; the original file has not been modified`n`n" -ForegroundColor Green
}else
{
Write-Host "Exclusion route IP addresses are correct and up to date in the VPN profile`n" -ForegroundColor Green
$OutFile=$VPNprofilefile
}
if ( $In_VPN_Only.Count -gt 0 )
{
Write-Host "Unknown exclusion route IP addresses found in the VPN profile`n" -ForegroundColor Yellow
foreach ($OldIP in $In_VPN_Only)
{
[array]$Inpfile = get-content $OutFile
$IPInfo=$OldIP.Split("/")
Write-Host "Unknown exclusion route IP address"$IPInfo[0]"has been found in the VPN profile - Do you wish to remove it? (Y/N)`n" -ForegroundColor Yellow
$matchstr="<Route>"+"<Address>"+$IPInfo[0].Trim()+"</Address>"+"<PrefixSize>"+$IPInfo[1].Trim()+"</PrefixSize>"+"<ExclusionRoute>true</ExclusionRoute>"+"</Route>"
$DelAns=Read-host
if ($DelAns.ToUpper() -eq "Y")
{
# Remove unknown IP address(es) #
$inspoint = $Inpfile[0].IndexOf($matchstr)
$Inpfile[0] = $Inpfile[0].Replace($matchstr,"")
# Update filename and write new XML file #
$NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml"
$OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName
$Inpfile | Set-content $OutFile
Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate XML file; the original file has not been modified`n" -ForegroundColor Green
}else
{
Write-Host "`nExclusion route IP address has *NOT* been removed from the VPN profile`n" -ForegroundColor Green
}
}
}
}
```
## Version Support
This solution is supported with the following versions of Windows:
- Windows 10 1903/1909 and newer: Included, no action needed
- Windows 10 1809: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481)
- Windows 10 1803: At least [KB4493437](https://support.microsoft.com/help/4493437/windows-10-update-kb4493437)
- Windows 10 1709 and lower: Exclusion routes are not supported
- Windows 10 Enterprise 2019 LTSC: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481)
- Windows 10 Enterprise 2016 LTSC: Exclusion routes are not supported
- Windows 10 Enterprise 2015 LTSC: Exclusion routes are not supported
Microsoft strongly recommends that the latest available Windows 10 cumulative update always be applied.
## Other Considerations
You should also be able to adapt this approach to include necessary exclusions for other cloud-services that can be defined by known/static IP addresses; exclusions required for [Cisco WebEx](https://help.webex.com/WBX000028782/Network-Requirements-for-Webex-Teams-Services) or [Zoom](https://support.zoom.us/hc/en-us/articles/201362683) are good examples.
## Examples
An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial PowerShell script:
```powershell
# Copyright (c) Microsoft Corporation. All rights reserved.
#
# THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
# WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
# IF THIS CODE AND INFORMATION IS MODIFIED, THE ENTIRE RISK OF USE OR RESULTS IN
# CONNECTION WITH THE USE OF THIS CODE AND INFORMATION REMAINS WITH THE USER.
<#
.SYNOPSIS
Configures an AlwaysOn IKEv2 VPN Connection using a basic script
.DESCRIPTION
Configures an AlwaysOn IKEv2 VPN Connection with proxy PAC information and force tunneling
.PARAMETERS
Parameters are defined in a ProfileXML object within the script itself
.NOTES
Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later
.VERSION
1.0
#>
<#-- Define Key VPN Profile Parameters --#>
$ProfileName = 'Contoso VPN with Office 365 Exclusions'
$ProfileNameEscaped = $ProfileName -replace ' ', '%20'
<#-- Define VPN ProfileXML --#>
$ProfileXML = '<VPNProfile>
<RememberCredentials>true</RememberCredentials>
<DnsSuffix>corp.contoso.com</DnsSuffix>
<AlwaysOn>true</AlwaysOn>
<TrustedNetworkDetection>corp.contoso.com</TrustedNetworkDetection>
<NativeProfile>
<Servers>edge1.contoso.com</Servers>
<RoutingPolicyType>ForceTunnel</RoutingPolicyType>
<NativeProtocolType>IKEv2</NativeProtocolType>
<Authentication>
<MachineMethod>Certificate</MachineMethod>
</Authentication>
</NativeProfile>
<Route>
<Address>13.107.6.152</Address>
<PrefixSize>31</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>13.107.18.10</Address>
<PrefixSize>31</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>13.107.128.0</Address>
<PrefixSize>22</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>23.103.160.0</Address>
<PrefixSize>20</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>40.96.0.0</Address>
<PrefixSize>13</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>40.104.0.0</Address>
<PrefixSize>15</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>52.96.0.0</Address>
<PrefixSize>14</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>131.253.33.215</Address>
<PrefixSize>32</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>132.245.0.0</Address>
<PrefixSize>16</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>150.171.32.0</Address>
<PrefixSize>22</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>191.234.140.0</Address>
<PrefixSize>22</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>204.79.197.215</Address>
<PrefixSize>32</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>13.107.136.0</Address>
<PrefixSize>22</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>40.108.128.0</Address>
<PrefixSize>17</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>52.104.0.0</Address>
<PrefixSize>14</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>104.146.128.0</Address>
<PrefixSize>17</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>150.171.40.0</Address>
<PrefixSize>22</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>13.107.60.1</Address>
<PrefixSize>32</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>13.107.64.0</Address>
<PrefixSize>18</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>52.112.0.0</Address>
<PrefixSize>14</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>52.120.0.0</Address>
<PrefixSize>14</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Proxy>
<AutoConfigUrl>http://webproxy.corp.contoso.com/proxy.pac</AutoConfigUrl>
</Proxy>
</VPNProfile>'
<#-- Convert ProfileXML to Escaped Format --#>
$ProfileXML = $ProfileXML -replace '<', '&lt;'
$ProfileXML = $ProfileXML -replace '>', '&gt;'
$ProfileXML = $ProfileXML -replace '"', '&quot;'
<#-- Define WMI-to-CSP Bridge Properties --#>
$nodeCSPURI = './Vendor/MSFT/VPNv2'
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_VPNv2_01"
<#-- Define WMI Session --#>
$session = New-CimSession
<#-- Detect and Delete Previous VPN Profile --#>
try
{
$deleteInstances = $session.EnumerateInstances($namespaceName, $className, $options)
foreach ($deleteInstance in $deleteInstances)
{
$InstanceId = $deleteInstance.InstanceID
if ("$InstanceId" -eq "$ProfileNameEscaped")
{
$session.DeleteInstance($namespaceName, $deleteInstance, $options)
$Message = "Removed $ProfileName profile $InstanceId"
Write-Host "$Message"
} else {
$Message = "Ignoring existing VPN profile $InstanceId"
Write-Host "$Message"
}
}
}
catch [Exception]
{
$Message = "Unable to remove existing outdated instance(s) of $ProfileName profile: $_"
Write-Host "$Message"
exit
}
<#-- Create VPN Profile --#>
try
{
$newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Key')
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Key')
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property')
$newInstance.CimInstanceProperties.Add($property)
$session.CreateInstance($namespaceName, $newInstance, $options)
$Message = "Created $ProfileName profile."
Write-Host "$Message"
Write-Host "$ProfileName profile summary:"
$session.EnumerateInstances($namespaceName, $className, $options)
}
catch [Exception]
{
$Message = "Unable to create $ProfileName profile: $_"
Write-Host "$Message"
exit
}
$Message = "Script Complete"
Write-Host "$Message"
```
An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file.
>[!NOTE]
>This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace.
```xml
<VPNProfile><RememberCredentials>true</RememberCredentials><DnsSuffix>corp.contoso.com</DnsSuffix><AlwaysOn>true</AlwaysOn><TrustedNetworkDetection>corp.contoso.com</TrustedNetworkDetection><NativeProfile><Servers>edge1.contoso.com</Servers><RoutingPolicyType>ForceTunnel</RoutingPolicyType><NativeProtocolType>IKEv2</NativeProtocolType><Authentication><MachineMethod>Certificate</MachineMethod></Authentication></NativeProfile><Route><Address>13.107.6.152</Address><PrefixSize>31</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.18.10</Address><PrefixSize>31</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.128.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>23.103.160.0</Address><PrefixSize>20</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>40.96.0.0</Address><PrefixSize>13</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>40.104.0.0</Address><PrefixSize>15</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.96.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>131.253.33.215</Address><PrefixSize>32</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>132.245.0.0</Address><PrefixSize>16</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>150.171.32.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>191.234.140.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>204.79.197.215</Address><PrefixSize>32</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.136.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>40.108.128.0</Address><PrefixSize>17</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.104.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>104.146.128.0</Address><PrefixSize>17</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>150.171.40.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.60.1</Address><PrefixSize>32</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.64.0</Address><PrefixSize>18</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.112.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route><Address>52.120.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Proxy><AutoConfigUrl>http://webproxy.corp.contoso.com/proxy.pac</AutoConfigUrl></Proxy></VPNProfile>
```

6
windows/security/information-protection/TOC.md
View File

@ -38,7 +38,7 @@
## [Encrypted Hard Drive](encrypted-hard-drive.md)
## [Kernel DMA Protection for Thunderbolt 3](kernel-dma-protection-for-thunderbolt.md)
## [Kernel DMA Protection for Thunderbolt&trade; 3](kernel-dma-protection-for-thunderbolt.md)
## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
### [Create a WIP policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md)
@ -47,8 +47,8 @@
##### [Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)
#### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
#### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md)
### [Create a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md)
#### [Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md)
### [Create a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\overview-create-wip-policy-configmgr.md)
#### [Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\create-wip-policy-using-configmgr.md)
#### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
#### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md)
### [Mandatory tasks and settings required to turn on WIP](windows-information-protection\mandatory-settings-for-wip.md)

4
windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
View File

@ -80,7 +80,9 @@ The server side configuration to enable Network Unlock also requires provisionin
1. The Windows boot manager detects that a Network Unlock protector exists in the BitLocker configuration.
2. The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address.
3. The client computer broadcasts a vendor-specific DHCP request that contains the Network Key (a 256-bit intermediate key) and an AES-256 session key for the reply. Both of these keys are encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server.
3. The client computer broadcasts a vendor-specific DHCP request that contains:
1. A Network Key (a 256-bit intermediate key) encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server.
2. An AES-256 session key for the reply.
4. The Network Unlock provider on the WDS server recognizes the vendor-specific request.
5. The provider decrypts it with the WDS servers BitLocker Network Unlock certificate RSA private key.
6. The WDS provider then returns the network key encrypted with the session key using its own vendor-specific DHCP reply to the client computer. This forms an intermediate key.

0
windows/security/information-protection/bitlocker/images/sccm-imageconfig.jpg → windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 125 KiB

After

Width:  |  Height:  |  Size: 125 KiB

4
windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
View File

@ -111,7 +111,7 @@ list volume
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/sccm-imageconfig.jpg)
![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/configmgr-imageconfig.jpg)
#### Step 2: Verify the status of WinRE
@ -171,7 +171,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes
You receive an error message that resembles the following:
> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable SecureBoot could not be read. A required privilege is not held by the client.
> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client.
### Cause

18
windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
View File

@ -23,12 +23,12 @@ ms.reviewer:
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
If you dont already have an EFS DRA certificate, youll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, well use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.
>[!IMPORTANT]
>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).<br><br>If your DRA certificate has expired, you wont be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).<br><br>If your DRA certificate has expired, you won't be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
## Manually create an EFS DRA certificate
@ -47,16 +47,16 @@ The recovery process included in this topic only works for desktop devices. WIP
>[!Important]
>Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md).
4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md).
> [!NOTE]
> This certificate can be used in Intune for policies both _with_ device enrollment (MDM) and _without_ device enrollment (MAM).
## Verify your data recovery certificate is correctly set up on a WIP client computer
1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so its encrypted by WIP.
1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it's encrypted by WIP.
2. Open an app on your protected app list, and then create and save a file so that its encrypted by WIP.
2. Open an app on your protected app list, and then create and save a file so that it's encrypted by WIP.
3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
@ -89,7 +89,7 @@ It's possible that you might revoke data from an unenrolled device only to later
<code>Robocopy "%localappdata%\Microsoft\EDP\Recovery" "<i>new_location</i>" * /EFSRAW</code>
Where "*new_location*" is in a different directory. This can be on the employees device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent.
Where "*new_location*" is in a different directory. This can be on the employee's device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent.
To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**.
@ -109,12 +109,12 @@ It's possible that you might revoke data from an unenrolled device only to later
4. Ask the employee to lock and unlock the device.
The Windows Credential service automatically recovers the employees previously revoked keys from the `Recovery\Input` location.
The Windows Credential service automatically recovers the employee's previously revoked keys from the `Recovery\Input` location.
## Auto-recovery of encryption keys
Starting with Windows 10, version 1709, WIP includes a data recovery feature that lets your employees auto-recover access to work files if the encryption key is lost and the files are no longer accessible. This typically happens if an employee reimages the operating system partition, removing the WIP key info, or if a device is reported as lost and you mistakenly target the wrong device for unenrollment.
To help make sure employees can always access files, WIP creates an auto-recovery key thats backed up to their Azure Active Directory (Azure AD) identity.
To help make sure employees can always access files, WIP creates an auto-recovery key that's backed up to their Azure Active Directory (Azure AD) identity.
The employee experience is based on sign in with an Azure AD work account. The employee can either:
@ -147,7 +147,7 @@ After signing in, the necessary WIP key info is automatically downloaded and emp
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)
- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md)
- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md)
- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA)

104
windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md → windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
View File

@ -25,10 +25,10 @@ ms.date: 01/09/2020
- Windows 10 Mobile, version 1607 and later
- Microsoft Endpoint Configuration Manager
Microsoft Endpoint Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
## Add a WIP policy
After youve installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
After you've installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
>[!TIP]
> Review the [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) article before creating a new configuration item to avoid common issues.
@ -37,16 +37,16 @@ After youve installed and set up Configuration Manager for your organization,
1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
![Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png)
![Configuration Manager, Configuration Items screen](images/wip-configmgr-addpolicy.png)
2. Click the **Create Configuration Item** button.<p>
The **Create Configuration Item Wizard** starts.
![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-sccm-generalscreen.png)
![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-configmgr-generalscreen.png)
3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Microsoft Endpoint Configuration Manager for device management, and then click **Next**.
4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**.
- **Settings for devices managed with the Configuration Manager client:** Windows 10
@ -56,25 +56,25 @@ The **Create Configuration Item Wizard** starts.
5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-sccm-supportedplat.png)
![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-configmgr-supportedplat.png)
6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**.
![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-sccm-devicesettings.png)
![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-configmgr-devicesettings.png)
The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
## Add app rules to your policy
During the policy-creation process in Microsoft Endpoint Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
>[!IMPORTANT]
>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
### Add a store app rule to your policy
For this example, were going to add Microsoft OneNote, a store app, to the **App Rules** list.
For this example, we're going to add Microsoft OneNote, a store app, to the **App Rules** list.
**To add a store app**
@ -82,13 +82,13 @@ For this example, were going to add Microsoft OneNote, a store app, to the **
The **Add app rule** box appears.
![Create Configuration Item wizard, add a universal store app](images/wip-sccm-adduniversalapp.png)
![Create Configuration Item wizard, add a universal store app](images/wip-configmgr-adduniversalapp.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Microsoft OneNote*.
2. Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*.
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick **Store App** from the **Rule template** drop-down list.
@ -122,7 +122,7 @@ If you don't know the publisher or product name, you can find them for both desk
4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
> [!IMPORTANT]
> The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as CN= followed by the `windowsPhoneLegacyId`.<p>For example:<p>
> The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`.<p>For example:<p>
> ```json
> {
> "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
@ -150,7 +150,7 @@ If you don't know the publisher or product name, you can find them for both desk
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
> [!IMPORTANT]
> The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as CN= followed by the `windowsPhoneLegacyId`.
> The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`.
> For example:<p>
> ```json
> {
@ -159,20 +159,20 @@ If you don't know the publisher or product name, you can find them for both desk
> ```
### Add a desktop app rule to your policy
For this example, were going to add Internet Explorer, a desktop app, to the **App Rules** list.
For this example, we're going to add Internet Explorer, a desktop app, to the **App Rules** list.
**To add a desktop app to your policy**
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
![Create Configuration Item wizard, add a classic desktop app](images/wip-sccm-adddesktopapp.png)
![Create Configuration Item wizard, add a classic desktop app](images/wip-configmgr-adddesktopapp.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Internet Explorer*.
2. Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*.
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick **Desktop App** from the **Rule template** drop-down list.
@ -186,7 +186,7 @@ For this example, were going to add Internet Explorer, a desktop app, to the
<th>Manages</th>
</tr>
<tr>
<td>All fields left as “*”</td>
<td>All fields left as "*"</td>
<td>All files signed by any publisher. (Not recommended.)</td>
</tr>
<tr>
@ -215,7 +215,7 @@ For this example, were going to add Internet Explorer, a desktop app, to the
</tr>
</table>
If youre unsure about what to include for the publisher, you can run this PowerShell command:
If you're unsure about what to include for the publisher, you can run this PowerShell command:
```ps1
Get-AppLockerFileInformation -Path "<path of the exe>"
@ -232,7 +232,7 @@ Path Publisher
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
### Add an AppLocker policy file
For this example, were going to add an AppLocker XML file to the **App Rules** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
For this example, we're going to add an AppLocker XML file to the **App Rules** list. You'll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
**To create an app rule and xml file using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
@ -257,7 +257,7 @@ For this example, were going to add an AppLocker XML file to the **App Rules*
![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png)
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, were using Microsoft Photos.
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos.
![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png)
@ -277,7 +277,7 @@ For this example, were going to add an AppLocker XML file to the **App Rules*
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
The policy is saved and youll see a message that says 1 rule was exported from the policy.
The policy is saved and you'll see a message that says 1 rule was exported from the policy.
**Example XML file**<br>
This is the XML file that AppLocker creates for Microsoft Photos.
@ -299,7 +299,7 @@ For this example, were going to add an AppLocker XML file to the **App Rules*
</RuleCollection>
</AppLockerPolicy>
```
12. After youve created your XML file, you need to import it by using Microsoft Endpoint Configuration Manager.
12. After you've created your XML file, you need to import it by using Configuration Manager.
**To import your Applocker policy file app rule using Configuration Manager**
@ -307,13 +307,13 @@ For this example, were going to add an AppLocker XML file to the **App Rules*
The **Add app rule** box appears.
![Create Configuration Item wizard, add an AppLocker policy](images/wip-sccm-addapplockerfile.png)
![Create Configuration Item wizard, add an AppLocker policy](images/wip-configmgr-addapplockerfile.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Allowed app list*.
2. Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*.
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick the **AppLocker policy file** from the **Rule template** drop-down list.
@ -332,13 +332,13 @@ If you're running into compatibility issues where your app is incompatible with
The **Add app rule** box appears.
2. Add a friendly name for your app into the **Title** box. In this example, its *Exempt apps list*.
2. Add a friendly name for your app into the **Title** box. In this example, it's *Exempt apps list*.
3. Click **Exempt** from the **Windows Information Protection mode** drop-down list.
Be aware that when you exempt apps, theyre allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
Be aware that when you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
4. Fill out the rest of the app rule info, based on the type of rule youre adding:
4. Fill out the rest of the app rule info, based on the type of rule you're adding:
- **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic.
@ -360,13 +360,13 @@ We recommend that you start with **Silent** or **Override** while verifying with
|-----|------------|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.|
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would've been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on.|
![Create Configuration Item wizard, choose your WIP-protection level](images/wip-sccm-appmgmt.png)
![Create Configuration Item wizard, choose your WIP-protection level](images/wip-configmgr-appmgmt.png)
## Define your enterprise-managed identity domains
Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps youve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
@ -374,16 +374,16 @@ You can specify multiple domains owned by your enterprise by separating them wit
- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-sccm-corp-identity.png)
![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-configmgr-corp-identity.png)
## Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprises range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise's range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
>[!IMPORTANT]
>Every WIP policy should include policy that defines your enterprise network locations.<br>
>Classless Inter-Domain Routing (CIDR) notation isnt supported for WIP configurations.
>Classless Inter-Domain Routing (CIDR) notation isn't supported for WIP configurations.
**To define where your protected apps can find and send enterprise data on you network**
@ -393,7 +393,7 @@ There are no default locations included with WIP, you must add each of your netw
2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-sccm-add-network-domain.png)
![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-configmgr-add-network-domain.png)
<table>
<tr>
@ -404,7 +404,7 @@ There are no default locations included with WIP, you must add each of your netw
<tr>
<td>Enterprise Cloud Resources</td>
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<p>If you have multiple resources, you must separate them using the &quot;|&quot; delimiter. If you dont use proxy servers, you must also include the &quot;,&quot; delimiter just before the &quot;|&quot;. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<p>If you have multiple resources, you must separate them using the &quot;|&quot; delimiter. If you don't use proxy servers, you must also include the &quot;,&quot; delimiter just before the &quot;|&quot;. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.</td>
</tr>
<tr>
<td>Enterprise Network Domain Names (Required)</td>
@ -414,12 +414,12 @@ There are no default locations included with WIP, you must add each of your netw
<tr>
<td>Proxy servers</td>
<td>proxy.contoso.com:80;proxy2.contoso.com:443</td>
<td>Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources youre connecting to are enterprise resources.<br><br>This list shouldnt include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.</td>
<td>Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.<br><br>This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.</td>
</tr>
<tr>
<td>Internal proxy servers</td>
<td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
<td>Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources youre connecting to are enterprise resources.<br><br>This list shouldnt include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.</td><br/> </tr>
<td>Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.<br><br>This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.</td><br/> </tr>
<tr>
<td>Enterprise IPv4 Range (Required)</td>
<td><strong>Starting IPv4 Address:</strong> 3.4.0.1<br><strong>Ending IPv4 Address:</strong> 3.4.255.254<br><strong>Custom URI:</strong> 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
@ -442,7 +442,7 @@ There are no default locations included with WIP, you must add each of your netw
4. Decide if you want to Windows to look for additional network settings and if you want to show the WIP icon on your corporate files while in File Explorer.
![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-sccm-optsettings.png)
![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-configmgr-optsettings.png)
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
@ -452,16 +452,16 @@ There are no default locations included with WIP, you must add each of your netw
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-sccm-dra.png)
![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-configmgr-dra.png)
After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees local device drive. If somehow the employees local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
## Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional WIP settings.
After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings.
![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-sccm-additionalsettings.png)
![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-configmgr-additionalsettings.png)
**To set your optional settings**
1. Choose to set any or all of the optional settings:
@ -478,13 +478,13 @@ After you've decided where your protected apps can access enterprise data on you
- **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
- **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a users local encryption keys from a device when its unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if youre migrating between Mobile Device Management (MDM) solutions.
- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you're migrating between Mobile Device Management (MDM) solutions.
- **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you dont specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to.
- **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you don't specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to.
2. After you pick all of the settings you want to include, click **Summary**.
@ -494,12 +494,12 @@ After you've finished configuring your policy, you can review all of your info o
**To view the Summary screen**
- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-sccm-summaryscreen.png)
![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-configmgr-summaryscreen.png)
A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
## Deploy the WIP policy
After youve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
After you've created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
- [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224)
- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708225)

4
windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
View File

@ -82,7 +82,7 @@ When you create a sensitivity label, you can specify that the label be added to
![Sensitivity labels](images/sensitivity-label-auto-label.png)
A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, drivers license numbers, and so on.
A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver's license numbers, and so on.
You can also [create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type), which can include any keyword or expression that you want to evaluate.
### Protection
@ -110,7 +110,7 @@ You can see sensitive information types in Microsoft 365 compliance under **Clas
- Auto labelling requires Windows 10, version 1903
- Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy
- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center
- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-sccm.md)
- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-configmgr.md)

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-add-network-domain.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 11 KiB

After

Width:  |  Height:  |  Size: 11 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 44 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 44 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-addpolicy.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 121 KiB

After

Width:  |  Height:  |  Size: 121 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 66 KiB

After

Width:  |  Height:  |  Size: 66 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 52 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-corp-identity.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.4 KiB

After

Width:  |  Height:  |  Size: 1.4 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-devicesettings.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 34 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-dra.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.8 KiB

After

Width:  |  Height:  |  Size: 2.8 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 46 KiB

After

Width:  |  Height:  |  Size: 46 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-network-domain.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 40 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 46 KiB

After

Width:  |  Height:  |  Size: 46 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-summaryscreen.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 49 KiB

After

Width:  |  Height:  |  Size: 49 KiB

0
windows/security/information-protection/windows-information-protection/images/wip-sccm-supportedplat.png → windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 26 KiB

After

Width:  |  Height:  |  Size: 26 KiB

2
windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md → windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
View File

@ -28,6 +28,6 @@ Microsoft Endpoint Configuration Manager helps you create and deploy your enterp
## In this section
|Topic |Description |
|------|------------|
|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |

4
windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
View File

@ -56,7 +56,7 @@ You can try any of the processes included in these scenarios, but you should foc
<td>Create work documents in enterprise-allowed apps.</td>
<td><strong>For desktop:</strong><br><br>
<ul>
<li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br><strong>Important</strong><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either <a href="create-wip-policy-using-intune-azure.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)">Create a Windows Information Protection (WIP) policy using Microsoft Intune</a> or <a href="create-wip-policy-using-sccm.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md)">Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager</a>, based on your deployment system.</li>
<li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br><strong>Important</strong><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either <a href="create-wip-policy-using-intune-azure.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)">Create a Windows Information Protection (WIP) policy using Microsoft Intune</a> or <a href="create-wip-policy-using-configmgr.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md)">Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager</a>, based on your deployment system.</li>
</ul>
<strong>For mobile:</strong><br><br>
<ol>
@ -113,7 +113,7 @@ You can try any of the processes included in these scenarios, but you should foc
<ol>
<li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.<br>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li>
<li>Open File Explorer and make sure your modified files are appearing with a <strong>Lock</strong> icon.</li>
<li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<br><br><strong>Note</strong><br>Most Windows-signed components like File Explorer (when running in the users context), should have access to enterprise data.<br><br>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don&#39;t have access by default, but can be added to your allowed apps list.</li>
<li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<br><br><strong>Note</strong><br>Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.<br><br>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don&#39;t have access by default, but can be added to your allowed apps list.</li>
</ol>
</td>
</tr>

7
windows/security/threat-protection/TOC.md
View File

@ -6,6 +6,7 @@
### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
### [Preview features](microsoft-defender-atp/preview.md)
### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
### [Overview of Microsoft Defender Security Center](microsoft-defender-atp/use.md)
### [Portal overview](microsoft-defender-atp/portal-overview.md)
### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
@ -27,7 +28,7 @@
### [Threat & Vulnerability Management]()
#### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
#### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
#### [Dashboard insights](microsoft-defender-atp/tvm-dashboard-insights.md)
#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
#### [Configuration score](microsoft-defender-atp/configuration-score.md)
#### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
@ -443,7 +444,7 @@
### [Configure integration with other Microsoft solutions]()
#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
## Reference
@ -583,7 +584,7 @@
##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md)
##### [Configure HP ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)

2
windows/security/threat-protection/index.md
View File

@ -77,7 +77,7 @@ To further reinforce the security perimeter of your network, Microsoft Defender
- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
- [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus)
- [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
<a name="edr"></a>

3
windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
View File

@ -26,7 +26,6 @@ Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://
Windows Defender Antivirus is the [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) capability in the [Microsoft Defender ATP Windows 10 security stack](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) that addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign). That's because Windows Defender Antivirus and other [endpoint protection platform (EPP)](https://www.microsoft.com/security/blog/2019/08/23/gartner-names-microsoft-a-leader-in-2019-endpoint-protection-platforms-magic-quadrant/) capabilities in Microsoft Defender ATP detect and stops malware at first sight with [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak), behavioral analysis, and other advanced technologies.
<br><br>
![String of images showing scores](./images/Transparency-report-November1.png)
**Download the latest transparency report: [Examining industry test results, November 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)**
@ -54,7 +53,7 @@ The AV-TEST Product Review and Certification Report tests on three categories: p
- September — October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD)
### AV-Comparatives: Protection rating of 99.9% in the latest test
### AV-Comparatives: Protection rating of 99.6% in the latest test
Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance.

197
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
View File

@ -30,9 +30,9 @@ Your attack surface is the total number of places where an attacker could compro
Attack surface reduction rules target software behaviors that are often abused by attackers, such as:
* Launching executable files and scripts that attempt to download or run files
* Running obfuscated or otherwise suspicious scripts
* Performing behaviors that apps don't usually initiate during normal day-to-day work
- Launching executable files and scripts that attempt to download or run files
- Running obfuscated or otherwise suspicious scripts
- Performing behaviors that apps don't usually initiate during normal day-to-day work
These behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe.
@ -44,9 +44,11 @@ For more information about configuring attack surface reduction rules, see [Enab
## Attack surface reduction features across Windows versions
You can set attack surface reduction rules for computers running Windows 10 versions 1709 and 1803 or later, Windows Server version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
You can set attack surface reduction rules for computers running the following versions of Windows:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) (Semi-Annual Channel) or later
To use the entire feature-set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license, you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
## Review attack surface reduction events in the Microsoft Defender Security Center
@ -77,11 +79,11 @@ You can review the Windows event log to view events generated by attack surface
This will create a custom view that filters events to only show the following, all of which are related to controlled folder access:
Event ID | Description
-|-
5007 | Event when settings are changed
1121 | Event when rule fires in Block-mode
1122 | Event when rule fires in Audit-mode
|Event ID | Description |
|---|---|
|5007 | Event when settings are changed |
|1121 | Event when rule fires in Block-mode |
|1122 | Event when rule fires in Audit-mode |
The "engine version" listed for attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not by the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all devices with Windows 10 installed.
@ -89,38 +91,42 @@ The "engine version" listed for attack surface reduction events in the event log
The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs:
Rule name | GUID | File & folder exclusions
-|-|-
[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported
[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported
[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported
[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported
[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported
[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported
[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported
[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported
[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported
[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported
[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Supported
[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported
[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported
[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported
[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported
| Rule name | GUID | File & folder exclusions | Minimum OS supported |
|-----|----|---|---|
|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Not supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater |
### Block executable content from email client and webmail
This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:
* Executable files (such as .exe, .dll, or .scr)
* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Microsoft Endpoint Configuration Manager CB 1710
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Microsoft Endpoint Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
Microsoft Endpoint Configuration Manager name: Block executable content from email client and webmail
GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`
### Block all Office applications from creating child processes
@ -128,27 +134,35 @@ This rule blocks Office apps from creating child processes. This includes Word,
Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Office apps launching child processes
Configuration Manager name: Block Office application from creating child processes
GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A`
### Block Office applications from creating executable content
This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.
Malware that abuse Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager)
Intune name: Office apps/macros creating executable content
SCCM name: Block Office applications from creating executable content
GUID: 3B576869-A4EC-4529-8536-B80A7769E899
GUID: `3B576869-A4EC-4529-8536-B80A7769E899`
### Block Office applications from injecting code into other processes
@ -160,13 +174,17 @@ There are no known legitimate business purposes for using code injection.
This rule applies to Word, Excel, and PowerPoint.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Office apps injecting code into other processes (no exceptions)
Configuration Manager name: Block Office applications from injecting code into other processes
GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`
### Block JavaScript or VBScript from launching downloaded executable content
@ -177,13 +195,17 @@ Although not common, line-of-business applications sometimes use scripts to down
> [!IMPORTANT]
> File and folder exclusions don't apply to this attack surface reduction rule.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content
GUID: D3E037E1-3EB8-44C8-A917-57927947596D
GUID: `D3E037E1-3EB8-44C8-A917-57927947596D`
### Block execution of potentially obfuscated scripts
@ -191,13 +213,17 @@ This rule detects suspicious properties within an obfuscated script.
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Obfuscated js/vbs/ps/macro code
Configuration Manager name: Block execution of potentially obfuscated scripts.
GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC`
### Block Win32 API calls from Office macros
@ -205,37 +231,42 @@ This rule prevents VBA macros from calling Win32 APIs.
Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
This rule was introduced in:
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Win32 imports from Office macro code
Configuration Manager name: Block Win32 API calls from Office macros
GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B`
### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:
* Executable files (such as .exe, .dll, or .scr)
- Executable files (such as .exe, .dll, or .scr)
Launching untrusted or unknown executable files can be risky, as it may not not be initially clear if the files are malicious.
> [!NOTE]
> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious.
> [!IMPORTANT]
> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule. <br/><br/> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
>
>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria.
Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25`
### Use advanced protection against ransomware
@ -244,13 +275,17 @@ This rule provides an extra layer of protection against ransomware. It scans exe
> [!NOTE]
> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Advanced ransomware protection
Configuration Manager name: Use advanced protection against ransomware
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
### Block credential stealing from the Windows local security authority subsystem
@ -261,13 +296,17 @@ LSASS authenticates users who log in to a Windows computer. Microsoft Defender C
> [!NOTE]
> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Flag credential stealing from the Windows local security authority subsystem
Configuration Manager name: Block credential stealing from the Windows local security authority subsystem
GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`
### Block process creations originating from PSExec and WMI commands
@ -276,13 +315,16 @@ This rule blocks processes created through [PsExec](https://docs.microsoft.com/s
> [!WARNING]
> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
Intune name: Process creation from PSExec and WMI commands
Configuration Manager name: Not applicable
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c`
### Block untrusted and unsigned processes that run from USB
@ -291,13 +333,17 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
* Executable files (such as .exe, .dll, or .scr)
* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Untrusted and unsigned processes that run from USB
Configuration Manager name: Block untrusted and unsigned processes that run from USB
GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
### Block Office communication application from creating child processes
@ -308,13 +354,16 @@ This protects against social engineering attacks and prevents exploit code from
> [!NOTE]
> This rule applies to Outlook and Outlook.com only.
This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
This rule was introduced in:
- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
Intune name: Process creation from Office communication products (beta)
Configuration Manager name: Not yet available
GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869`
### Block Adobe Reader from creating child processes
@ -322,13 +371,16 @@ This rule prevents attacks by blocking Adobe Reader from creating additional pro
Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
This rule was introduced in:
- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
Intune name: Process creation from Adobe Reader (beta)
Configuration Manager name: Not yet available
GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
### Block persistence through WMI event subscription
@ -336,17 +388,22 @@ This rule prevents malware from abusing WMI to attain persistence on a device.
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
This rule was introduced in: Windows 10 1903, Windows Server 1903
This rule was introduced in:
- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)
Intune name: Block persistence through WMI event subscription
Configuration Manager name: Not yet available
GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
## Related topics
* [Attack surface reduction FAQ](attack-surface-reduction.md)
* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
- [Attack surface reduction FAQ](attack-surface-reduction.md)
- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
- [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)

64
windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
View File

@ -1,7 +1,7 @@
---
title: Configure HP ArcSight to pull Microsoft Defender ATP detections
description: Configure HP ArcSight to receive and pull detections from Microsoft Defender Security Center
keywords: configure hp arcsight, security information and events management tools, arcsight
title: Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections
description: Configure Micro Focus ArcSight to receive and pull detections from Microsoft Defender Security Center
keywords: configure Micro Focus ArcSight, security information and events management tools, arcsight
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Configure HP ArcSight to pull Microsoft Defender ATP detections
# Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections
**Applies to:**
@ -28,14 +28,15 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP detections.
You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Microsoft Defender ATP detections.
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
## Before you begin
Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application.
Configuring the Micro Focus ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application.
This section guides you in getting the necessary information to set and use the required configuration files correctly.
@ -50,7 +51,7 @@ This section guides you in getting the necessary information to set and use the
- WDATP-connector.properties
- WDATP-connector.jsonparser.properties
You would have saved a .zip file which contains these two files when you chose HP ArcSight as the SIEM type you use in your organization.
You would have saved a .zip file which contains these two files when you chose Micro Focus ArcSight as the SIEM type you use in your organization.
- Make sure you generate the following tokens and have them ready:
- Access token
@ -58,7 +59,8 @@ This section guides you in getting the necessary information to set and use the
You can generate these tokens from the **SIEM integration** setup section of the portal.
## Install and configure HP ArcSight FlexConnector
## Install and configure Micro Focus ArcSight FlexConnector
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.</br></br>You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location.
@ -79,8 +81,9 @@ The following steps assume that you have completed all the required steps in [Be
- WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\
NOTE:
You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
> [!NOTE]
>
> You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**.
@ -114,30 +117,36 @@ The following steps assume that you have completed all the required steps in [Be
</td>
</tr>
</tr>
</table><br/>7. A browser window is opened by the connector. Login with your application credentials. After you log in, you&#39;ll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate. </br></br>
If the <code>redirect_uri</code> is a https URL, you&#39;ll be redirected to a URL on the local host. You&#39;ll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You&#39;ll need to trust this certificate if the redirect_uri is a https. </br></br> If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
</table><br/>
7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.
7. Continue with the connector setup by returning to the HP ArcSight Connector Setup window.
If the <code>redirect_uri</code> is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.
If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
8. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
8. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window.
9. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
10. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
11. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
12. Verify that the details in the **Add connector Summary** window is correct, then click **Next**.
12. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
13. Select **Install as a service** and click **Next**.
13. Verify that the details in the **Add connector Summary** window is correct, then click **Next**.
14. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
14. Select **Install as a service** and click **Next**.
15. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
15. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
16. Finish the installation by selecting **Exit** and **Next**.
16. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
17. Finish the installation by selecting **Exit** and **Next**.
## Install and configure the Micro Focus ArcSight console
## Install and configure the HP ArcSight console
1. Follow the installation wizard through the following tasks:
- Introduction
- License Agreement
@ -158,18 +167,19 @@ The following steps assume that you have completed all the required steps in [Be
7. Click **Done** to quit the installer.
8. Login to the HP ArcSight console.
8. Login to the Micro Focus ArcSight console.
9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**.
10. Set **Device Product = Microsoft Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST.
You can now run queries in the HP ArcSight console.
You can now run queries in the Micro Focus ArcSight console.
Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
## Troubleshooting HP ArcSight connection
## Troubleshooting Micro Focus ArcSight connection
**Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`.
**Symptom:** You get the following error message:
@ -177,7 +187,9 @@ Microsoft Defender ATP detections will appear as discrete events, with "Microsof
`Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token`
**Solution:**
1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?".
2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value:
`reauthenticate=true`.

2
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
View File

@ -34,7 +34,7 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh
## Before you begin
If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully.
For more information on enabling MDM with Microsoft Intune, see [Setup Windows Device Management](https://docs.microsoft.com/intune-classic/deploy-use/set-up-windows-device-management-with-microsoft-intune).
For more information on enabling MDM with Microsoft Intune, see [Device enrollment (Microsoft Intune)](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment).
## Onboard machines using Microsoft Intune

22
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -31,7 +31,7 @@ ms.topic: article
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink)
Microsoft Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Microsoft Defender Security Center console.
Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console.
The service supports the onboarding of the following servers:
- Windows Server 2008 R2 SP1
@ -46,7 +46,7 @@ For a practical guidance on what needs to be in place for licensing and infrastr
> [!NOTE]
> An Azure Security Center Standard license is required, per node, to enroll Microsoft Defender ATP on a supported Windows Server platform, see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services)
## Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016
## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016
There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP:
@ -77,7 +77,7 @@ You'll need to take the following steps if you choose to onboard servers through
> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
- Turn on server monitoring from Microsoft Defender Security Center.
- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
> [!TIP]
@ -87,7 +87,7 @@ You'll need to take the following steps if you choose to onboard servers through
> [!IMPORTANT]
> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
The following steps are required to enable this integration:
- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie)
@ -100,7 +100,7 @@ The following steps are required to enable this integration:
2. Select Windows Server 2012 R2 and 2016 as the operating system.
3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
<span id="server-mma"/>
@ -126,7 +126,7 @@ Once completed, you should see onboarded servers in the portal within an hour.
## Windows Server, version 1803 and Windows Server 2019
To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below.
To onboard Windows Server, version 1803 or Windows Server 2019, refer to the supported methods and versions below.
> [!NOTE]
> The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
@ -140,11 +140,11 @@ Supported tools include:
For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
Support for Windows Server, provide deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
2. If youre running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
2. If you're running a third-party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings. Verify that it was configured correctly:
a. Set the following registry entry:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
@ -165,17 +165,17 @@ Support for Windows Server, version 1803 and Windows 2019 provides deeper insigh
```sc query Windefend```
If the result is The specified service does not exist as an installed service, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
If the result is 'The specified service does not exist as an installed service', then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
## Integration with Azure Security Center
Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
The following capabilities are included in this integration:
- Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
> [!NOTE]
> Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
> Automated onboarding is only applicable for Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016.
- Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console.
- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach

3
windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
View File

@ -76,6 +76,9 @@ See the [attack surface reduction](attack-surface-reduction.md) topic for detail
4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
> [!WARNING]
> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
### Use PowerShell to exclude files and folders
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**

7
windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
View File

@ -131,10 +131,13 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
> [!WARNING]
> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
## PowerShell
>[!WARNING]
>If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
> [!WARNING]
> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**.

2
windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
View File

@ -67,6 +67,8 @@ Enable security information and event management (SIEM) integration so you can p
> [!NOTE]
> You'll need to generate a new Refresh token every 90 days.
6. Follow the instructions for [creating an Azure AD app registration for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) and assign the correct permissions to it to read alerts.
You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center.
## Integrate Microsoft Defender ATP with IBM QRadar

3
windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
View File

@ -58,6 +58,9 @@ Event ID | Description
1124 | Audited controlled folder access event
1123 | Blocked controlled folder access event
> [!TIP]
> You can configure a [Windows Event Forwarding subscription](https://docs.microsoft.com/windows/win32/wec/setting-up-a-source-initiated-subscription) to collect the logs centrally.
## Customize protected folders and apps
During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-confirm.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 24 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-device-collection.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 80 KiB

After

Width:  |  Height:  |  Size: 80 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-policy.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 51 KiB

After

Width:  |  Height:  |  Size: 51 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-criteria.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 52 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-device-collections.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 96 KiB

After

Width:  |  Height:  |  Size: 96 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-direct-membership.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 61 KiB

After

Width:  |  Height:  |  Size: 61 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-limiting-collection.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 53 KiB

After

Width:  |  Height:  |  Size: 53 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-membership-rules.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 83 KiB

After

Width:  |  Height:  |  Size: 83 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-policy-name.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 42 KiB

After

Width:  |  Height:  |  Size: 42 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-query-rule.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 83 KiB

After

Width:  |  Height:  |  Size: 83 KiB

0
windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png → windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 52 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mdatp-dashboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 138 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 223 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 162 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-10.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 75 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-11.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 116 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-12.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 110 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-13.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 97 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-14.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 99 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-15.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 130 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-16.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 150 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-17.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 104 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-18.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 100 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-19.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-20.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 126 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-21.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 120 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-22.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 85 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-23.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 91 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-24.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 93 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-25.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 114 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-26.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 129 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-27.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 125 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-28.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 187 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-29.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 98 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-30.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 170 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 111 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 104 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-7.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-8.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 126 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mecm-9.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 115 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/msdefender-mac-config-profile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 83 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 115 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 145 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 7.6 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 24 KiB

95
windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md
View File

@ -1,95 +0,0 @@
---
title: Configure information protection in Windows
ms.reviewer:
description: Learn how to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin.
keywords: information, protection, data, loss, prevention, wip, policy, scc, compliance, labels, dlp
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Configure information protection in Windows
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Learn how you can use Microsoft Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin.
>[!TIP]
> Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
If a file meets the criteria set in the policy settings and endpoint data loss prevention setting is also configured, WIP will be enabled for that file.
## Prerequisites
- Endpoints need to be on Windows 10, version 1809 or later
- You need the appropriate license to use the Microsoft Defender ATP and Azure Information Protection integration
- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information, see [Configure a Log Analytics workspace for the reports](https://docs.microsoft.com/azure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports)
## Configure endpoint data loss prevention
Complete the following steps so that Microsoft Defender ATP can automatically identify labeled documents stored on the device and enable WIP on them.
>[!NOTE]
>- The Microsoft Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy.
>- Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information Protection data.
1. Define a WIP policy and assign it to the relevant devices. For more information, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). If WIP is already configured on the relevant devices, skip this step.
2. Define which labels need to get WIP protection in Office 365 Security and Compliance.
1. Go to: **Classifications > Labels**.
2. Create a label or edit an existing one.
3. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP.
![Image of Office 365 Security and Compliance sensitivity label](images/endpoint-data-loss-protection.png)
4. Repeat for every label that you want to get WIP applied to in Windows.
## Configure auto labeling
Windows automatically detects when an Office file, CSV, or TXT files are being created on a device and inspects it based on context to identify sensitive information types.
Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled. The file is protected with Endpoint data loss prevention.
>[!NOTE]
> Auto-labeling requires Windows 10, version 1903.
1. In Office 365 Security & Compliance, go to **Classifications > Labels**.
2. Create a new label or edit an existing one.
3. Set a policy for Data classification:
1. Go through the label creation wizard.
2. When you reach the Auto labeling page, turn on auto labeling toggle on.
3. Add a new auto-labeling rule with the conditions that you require.
![Image of auto labeling in Office 365 Security and Compliance center](images/auto-labeling.png)
4. Validate that "When content matches these conditions" setting is set to "Automatically apply the label".
## Related topic
- [Information protection in Windows overview](information-protection-in-windows-overview.md)

31
windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
View File

@ -27,7 +27,6 @@ ms.topic: conceptual
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace.
Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite.
>[!TIP]
> Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
@ -95,36 +94,6 @@ InformationProtectionLogs_CL
- Enable Azure Information Protection integration in Microsoft Defender Security Center:
- Go to **Settings** in Microsoft Defender Security Center, click on **Advanced Settings** under **General**.
## Data protection
### Endpoint data loss prevention
For data to be protected, they must first be identified through labels.
Sensitivity labels are created in Office 365 Security & Compliance Center. Microsoft Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them.
When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Microsoft Defender ATP is the Endpoint data loss prevention.
For the endpoint data loss prevention, you'll need to turn on the Endpoint Data loss prevention and select Enable Windows end point protection (DLP for devices).
![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png)
Once, the policy is set and published, Microsoft Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Microsoft Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy.
This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin.
For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md).
## Auto labeling
Auto labeling is another way to protect data and can also be configured in Office 365 Security & Compliance Center. Windows automatically detects when an Office file, PDF, CSV or TXT files are being created on a device and inspects it based on context to identify sensitive information types.
Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled; the file is protected with Endpoint data loss prevention.
> [!NOTE]
> Auto-labeling is supported in Office apps only when the Azure Information Protection unified labeling client is installed. When sensitive content is detected in email or documents matching the conditions you choose, a label can automatically be applied or a message can be shown to users recommending they apply it themselves.
For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md).
## Related topics

44
windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
View File

@ -43,6 +43,9 @@ The choice of the channel determines the type and frequency of updates that are
In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
> [!WARNING]
> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
### RHEL and variants (CentOS and Oracle Linux)
- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`.
@ -201,15 +204,19 @@ Download the onboarding package from Microsoft Defender Security Center:
4. From a command prompt, verify that you have the file.
Extract the contents of the archive:
```bash
ls -l
total 8
-rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
```bash
ls -l
```
unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: WindowsDefenderATPOnboarding.py
```
`total 8`
`-rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip`
```bash
unzip WindowsDefenderATPOnboardingPackage.zip
```
`Archive: WindowsDefenderATPOnboardingPackage.zip`
`inflating: WindowsDefenderATPOnboarding.py`
## Client configuration
@ -231,14 +238,12 @@ Download the onboarding package from Microsoft Defender Security Center:
```bash
mdatp --health orgId
[your organization identifier]
```
4. A few minutes after you complete the installation, you can see the status by running the following command. A return value of `1` denotes that the product is functioning as expected:
```bash
mdatp --health healthy
1
```
> [!IMPORTANT]
@ -248,22 +253,21 @@ Download the onboarding package from Microsoft Defender Security Center:
- Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command):
```bash
mdatp --health realTimeProtectionEnabled
1
```
```bash
mdatp --health realTimeProtectionEnabled
```
- Open a Terminal window. Copy and execute the following command:
``` bash
curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
```
``` bash
curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
```
- The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command to list all the detected threats:
```bash
mdatp --threat --list --pretty
```
```bash
mdatp --threat --list --pretty
```
## Log installation issues

3
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
View File

@ -139,6 +139,9 @@ Create subtask or role files that contribute to an actual task. First create the
In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
> [!WARNING]
> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`.
In the following commands, replace *[distro]* and *[version]* with the information you've identified.

92
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
View File

@ -1,6 +1,6 @@
---
title: Deploy Microsoft Defender ATP for Linux with Puppet
ms.reviewer:
ms.reviewer:
description: Describes how to deploy Microsoft Defender ATP for Linux using Puppet.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh
@ -14,7 +14,7 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.collection: M365-security-compliance
ms.topic: conceptual
---
@ -48,7 +48,7 @@ Download the onboarding package from Microsoft Defender Security Center:
![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png)
4. From a command prompt, verify that you have the file. Extract the contents of the archive:
```bash
$ ls -l
total 8
@ -60,7 +60,7 @@ Download the onboarding package from Microsoft Defender Security Center:
## Create a Puppet manifest
You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* module available from puppetlabs, and assumes that the apt module has been installed on your Puppet server.
You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server.
Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
@ -84,46 +84,74 @@ The choice of the channel determines the type and frequency of updates that are
In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
> [!WARNING]
> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`.
In the below commands, replace *[distro]* and *[version]* with the information you've identified:
> [!NOTE]
> In case of Oracle Linux, replace *[distro]* with rhel.
> In case of RedHat, Oracle EL, and CentOS 8, replace *[distro]* with 'rhel'.
```puppet
class install_mdatp {
# Puppet manifest to install Microsoft Defender ATP.
# @param channel The release channel based on your environment, insider-fast or prod.
# @param distro The Linux distribution in lowercase. In case of RedHat, Oracle EL, and CentOS 8, the distro variable should be 'rhel'.
# @param version The Linux distribution release number, e.g. 7.4.
if ($osfamily == 'Debian') {
apt::source { 'microsoftpackages' :
location => 'https://packages.microsoft.com/[distro]/[version]/prod', # change the version and distro based on your OS
release => '[channel]',
repos => 'main',
key => {
'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF',
'server' => 'https://packages.microsoft.com/keys/microsoft.asc',
},
class install_mdatp (
$channel = 'insiders-fast',
$distro = undef,
$version = undef
){
case $::osfamily {
'Debian' : {
apt::source { 'microsoftpackages' :
location => "https://packages.microsoft.com/${distro}/${version}/prod",
release => $channel,
repos => 'main',
key => {
'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF',
'server' => 'keyserver.ubuntu.com',
},
}
}
}
else {
yumrepo { 'microsoftpackages' :
baseurl => 'https://packages.microsoft.com/[distro]/[version]/[channel]', # change the version and distro based on your OS
enabled => 1,
gpgcheck => 1,
gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc'
'RedHat' : {
yumrepo { 'microsoftpackages' :
baseurl => "https://packages.microsoft.com/${distro}/${version}/${channel}",
descr => "packages-microsoft-com-prod-${channel}",
enabled => 1,
gpgcheck => 1,
gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc'
}
}
default : { fail("${::osfamily} is currently not supported.") }
}
package { 'mdatp':
ensure => 'installed',
}
case $::osfamily {
/(Debian|RedHat)/: {
file { ['/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']:
ensure => directory,
owner => root,
group => root,
mode => '0755'
}
file { ['/etc', '/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']:
ensure => directory,
}
file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json':
mode => "0644",
source => 'puppet:///modules/install_mdatp/mdatp_onboard.json',
file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json':
source => 'puppet:///modules/mdatp/mdatp_onboard.json',
owner => root,
group => root,
mode => '0600',
require => File['/etc/opt/microsoft/mdatp']
}
package { 'mdatp':
ensure => 'installed',
require => File['/etc/opt/microsoft/mdatp/mdatp_onboard.json']
}
}
default : { fail("${::osfamily} is currently not supported.") }
}
}
```
@ -162,7 +190,7 @@ orgId : "[your organization identifier]"
You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status:
```bash
$ mdatp --health healthy
mdatp --health healthy
```
The above command prints `1` if the product is onboarded and functioning as expected.

2
windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
View File

@ -54,7 +54,7 @@ OK https://cdn.x.cp.wd.microsoft.com/ping
> [!WARNING]
> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
>
> Intercepting proxies are also not supported for security reasons. Configure your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your proxy certificate to the global store will not allow for interception.
> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port:

177
windows/security/threat-protection/microsoft-defender-atp/live-response.md
View File

@ -1,6 +1,6 @@
---
title: Investigate entities on machines using live response in Microsoft Defender ATP
description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real-time.
description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real time.
keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file,
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -17,29 +17,42 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Investigate entities on machines using live response
# Investigate entities on devices using live response
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats real-time.
Live response is a capability that gives your security operations team instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats - in real time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUW]
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4qLUW]
With live response, analysts will have the ability to:
- Run basic and advanced commands to do investigative work
With live response, analysts can do all of the following tasks:
- Run basic and advanced commands to do investigative work on a device
- Download files such as malware samples and outcomes of PowerShell scripts
- Upload a PowerShell script or executable to the library and run it on the machine from a tenant level
- Download files in the background (new!)
- Upload a PowerShell script or executable to the library and run it on a device from a tenant level
- Take or undo remediation actions
## Before you begin
Before you can initiate a session on a machine, make sure you fulfill the following requirements:
- Machines must be Windows 10, version 18323 (also known as Windows 10 19H1) or later.
Before you can initiate a session on a device, make sure you fulfill the following requirements:
- **Verify that you're running a supported version of Windows 10** <br/>
Devices must be running one of the following versions of Windows 10:
- [1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later
- [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
- [1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
- [1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- **Make sure to install appropriate security updates**<br/>
- 1903: [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)
- 1809 (RS5): [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
- 1803 (RS4): [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
- 1709 (RS3): [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
- **Enable live response from the settings page**<br>
You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page.
@ -52,18 +65,18 @@ You'll need to enable the live response capability in the [Advanced features set
>[!WARNING]
>Allowing the use of unsigned scripts may increase your exposure to threats.
Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
Running unsigned scripts is not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
- **Ensure that you have the appropriate permissions**<br>
Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md).
Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments, see [Create and manage roles](user-roles.md).
> [!IMPORTANT]
> The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions.
Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role.
Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permissions are controlled by RBAC custom role.
## Live response dashboard overview
When you initiate a live response session on a machine, a dashboard opens. The dashboard provides information about the session such as:
When you initiate a live response session on a device, a dashboard opens. The dashboard provides information about the session such as the following:
- Who created the session
- When the session started
@ -79,81 +92,109 @@ The dashboard also gives you access to:
## Initiate a live response session on a machine
1. Log in to Microsoft Defender Security Center.
2. Navigate to the machines list page and select a machine to investigate. The machine page opens.
>[!NOTE]
>Machines must be on Windows 10, version 18323 (also known as Windows 10 19H1) or later.
2. Navigate to the devices list page and select a machine to investigate. The machines page opens.
2. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the machine.
3. Use the built-in commands to do investigative work. For more information see, [Live response commands](#live-response-commands).
4. After completing your investigation, select **Disconnect session**, then select **Confirm**.
3. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the device.
4. Use the built-in commands to do investigative work. For more information, see [Live response commands](#live-response-commands).
5. After completing your investigation, select **Disconnect session**, then select **Confirm**.
## Live response commands
Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments see, [Create and manage roles](user-roles.md).
Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments, see [Create and manage roles](user-roles.md).
### Basic commands
The following commands are available for user roles that's been granted the ability to run **basic** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
Command | Description
:---|:---|:---
cd | Changes the current directory.
cls | Clears the console screen.
connect | Initiates a live response session to the machine.
connections | Shows all the active connections.
dir | Shows a list of files and subdirectories in a directory
drivers | Shows all drivers installed on the machine.
fileinfo | Get information about a file.
findfile | Locates files by a given name on the machine.
help | Provides help information for live response commands.
persistence | Shows all known persistence methods on the machine.
processes | Shows all processes running on the machine.
registry | Shows registry values.
scheduledtasks| Shows all scheduled tasks on the machine.
services | Shows all services on the machine.
trace | Sets the terminal's logging mode to debug.
The following commands are available for user roles that are granted the ability to run **basic** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md).
| Command | Description |
|---|---|--- |
|`cd` | Changes the current directory. |
|`cls` | Clears the console screen. |
|`connect` | Initiates a live response session to the device. |
|`connections` | Shows all the active connections. |
|`dir` | Shows a list of files and subdirectories in a directory. |
|`download <file_path> &` | Downloads a file in the background. |
drivers | Shows all drivers installed on the device. |
|`fg <command ID>` | Returns a file download to the foreground. |
|`fileinfo` | Get information about a file. |
|`findfile` | Locates files by a given name on the device. |
|`help` | Provides help information for live response commands. |
|`persistence` | Shows all known persistence methods on the device. |
|`processes` | Shows all processes running on the device. |
|`registry` | Shows registry values. |
|`scheduledtasks` | Shows all scheduled tasks on the device. |
|`services` | Shows all services on the device. |
|`trace` | Sets the terminal's logging mode to debug. |
### Advanced commands
The following commands are available for user roles that's been granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
The following commands are available for user roles that are granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
Command | Description
:---|:---
analyze | Analyses the entity with various incrimination engines to reach a verdict.
getfile | Gets a file from the machine. <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command.
run | Runs a PowerShell script from the library on the machine.
library | Lists files that were uploaded to the live response library.
putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default.
remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:<br>- File: delete<br>- Process: stop, delete image file<br>- Service: stop, delete image file<br>- Registry entry: delete<br>- Scheduled task: remove<br>- Startup folder item: delete file <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command.
undo | Restores an entity that was remediated.
| Command | Description |
|---|---|
| `analyze` | Analyses the entity with various incrimination engines to reach a verdict. |
| `getfile` | Gets a file from the device. <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command. |
| `run` | Runs a PowerShell script from the library on the device. |
| `library` | Lists files that were uploaded to the live response library. |
| `putfile` | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. |
| `remediate` | Remediates an entity on the device. The remediation action will vary depending on the entity type:<br>- File: delete<br>- Process: stop, delete image file<br>- Service: stop, delete image file<br>- Registry entry: delete<br>- Scheduled task: remove<br>- Startup folder item: delete file <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command.
|`undo` | Restores an entity that was remediated. |
## Use live response commands
The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands#BKMK_c).
The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the machine, and take remediation actions on an entity.
The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the device, and take remediation actions on an entity.
### Get a file from the machine
For scenarios when you'd like get a file from a machine you're investigating, you can use the `getfile` command. This allows you to save the file from the machine for further investigation.
For scenarios when you'd like get a file from a device you're investigating, you can use the `getfile` command. This allows you to save the file from the device for further investigation.
>[!NOTE]
>There is a file size limit of 750mb.
### Download a file in the background
To enable your security operations team to continue investigating an impacted device, files can now be downloaded in the background.
- To download a file in the background, in the live response command console, type `download <file_path> &`
- If you are waiting for a file to be downloaded, you can move it to the background by using Ctrl + Z.
- To bring a file download to the foreground, in the live response command console, type `fg <command_id>`
Here are some examples:
|Command |What it does |
|---------|---------|
|`"C:\windows\some_file.exe" &` |Starts downloading a file named *some_file.exe* in the background. |
|`fg 1234` |Returns a download with command ID *1234* to the foreground |
### Put a file in the library
Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level.
Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them.
You can have a collection of PowerShell scripts that can run on machines that you initiate live response sessions with.
You can have a collection of PowerShell scripts that can run on devices that you initiate live response sessions with.
#### To upload a file in the library
**To upload a file in the library:**
1. Click **Upload file to library**.
2. Click **Browse** and select the file.
3. Provide a brief description.
4. Specify if you'd like to overwrite a file with the same name.
5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.
6. Click **Confirm**.
7. (Optional) To verify that the file was uploaded to the library, run the `library` command.
@ -163,9 +204,8 @@ Anytime during a session, you can cancel a command by pressing CTRL + C.
>[!WARNING]
>Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled.
### Automatically run prerequisite commands
Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an error. For example, running the `download` command without `fileinfo` will return an error.
You can use the auto flag to automatically run prerequisite commands, for example:
@ -174,8 +214,8 @@ You can use the auto flag to automatically run prerequisite commands, for exampl
getfile c:\Users\user\Desktop\work.txt -auto
```
## Run a PowerShell script
Before you can run a PowerShell script, you must first upload it to the library.
After uploading the script to the library, use the `run` command to run the script.
@ -185,9 +225,8 @@ If you plan to use an unsigned script in the session, you'll need to enable the
>[!WARNING]
>Allowing the use of unsigned scripts may increase your exposure to threats.
## Apply command parameters
- View the console help to learn about command parameters. To learn about an individual command, run:
`help <command name>`
@ -204,9 +243,8 @@ If you plan to use an unsigned script in the session, you'll need to enable the
`<command name> -type file -id <file path> - auto` or `remediate file <file path> - auto`.
## Supported output types
Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands:
- `-output json`
@ -215,8 +253,8 @@ Live response supports table and JSON format output types. For each command, the
>[!NOTE]
>Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown.
## Supported output pipes
Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt.
Example:
@ -225,27 +263,24 @@ Example:
processes > output.txt
```
## View the command log
Select the **Command log** tab to see the commands used on the machine during a session.
Select the **Command log** tab to see the commands used on the device during a session.
Each command is tracked with full details such as:
- ID
- Command line
- Duration
- Status and input or output side bar
## Limitations
- Live response sessions are limited to 10 live response sessions at a time
- Large scale command execution is not supported
- A user can only initiate one session at a time
- A machine can only be in one session at a time
- There is a file size limit of 750mb when downloading files from a machine
- A device can only be in one session at a time
- There is a file size limit of 750mb when downloading files from a device
## Related topic
## Related article
- [Live response command examples](live-response-command-examples.md)

54
windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
View File

@ -24,15 +24,29 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
This topic describes how to deploy Microsoft Defender ATP for Mac through Intune. A successful deployment requires the completion of all of the following steps:
- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
- [Client device setup](#client-device-setup)
- [Create System Configuration profiles](#create-system-configuration-profiles)
- [Publish application](#publish-application)
1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
1. [Client device setup](#client-device-setup)
1. [Create System Configuration profiles](#create-system-configuration-profiles)
1. [Publish application](#publish-application)
## Prerequisites and system requirements
Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
## Overview
The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender ATP for Macs, via Intune. More detailed steps are available below.
| Step | Sample file names | BundleIdentifier |
|-|-|-|
| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
| [Approve Kernel Extension for Microsoft Defender ATP](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A |
| [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc |
| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 |
| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)<br/><br/> **Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdavtray |
## Download installation and onboarding packages
Download the installation and onboarding packages from Microsoft Defender Security Center:
@ -86,23 +100,23 @@ Download the installation and onboarding packages from Microsoft Defender Securi
## Client device setup
You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp).
You do not need any special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp).
1. You are asked to confirm device management.
1. Confirm device management.
![Confirm device management screenshot](../windows-defender-antivirus/images/MDATP-3-ConfirmDeviceMgmt.png)
![Confirm device management screenshot](../windows-defender-antivirus/images/MDATP-3-ConfirmDeviceMgmt.png)
Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
![Management profile screenshot](../windows-defender-antivirus/images/MDATP-4-ManagementProfile.png)
![Management profile screenshot](../windows-defender-antivirus/images/MDATP-4-ManagementProfile.png)
2. Select **Continue** and complete the enrollment.
You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
![Add Devices screenshot](../windows-defender-antivirus/images/MDATP-5-allDevices.png)
![Add Devices screenshot](../windows-defender-antivirus/images/MDATP-5-allDevices.png)
## Create System Configuration profiles
@ -116,7 +130,7 @@ You need no special provisioning for a Mac device beyond a standard [Company Por
5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
6. Repeat steps 1 through 5 for more profiles.
7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it.
8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it.<a name="create-system-configuration-profiles-step-8" id = "create-system-configuration-profiles-step-8"></a>
> [!CAUTION]
> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
@ -187,7 +201,7 @@ You need no special provisioning for a Mac device beyond a standard [Company Por
</plist>
```
9. To whitelist Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload:
9. To whitelist Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload: <a name = "create-system-configuration-profiles-step-9" id = "create-system-configuration-profiles-step-9"></a>
```xml
<?xml version="1.0" encoding="UTF-8"?>
@ -284,9 +298,9 @@ You need no special provisioning for a Mac device beyond a standard [Company Por
10. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
![System configuration profiles screenshot](../windows-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png)
![System configuration profiles screenshot](../windows-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png)
## Publish application
@ -294,11 +308,13 @@ You need no special provisioning for a Mac device beyond a standard [Company Por
2. Select **App type=Other/Line-of-business app**.
3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
4. Select **Configure** and add the required information.
5. Use **macOS High Sierra 10.13** as the minimum OS.
5. Use **macOS High Sierra 10.13** as the minimum OS.
6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value.
> [!CAUTION]
> Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy.
> Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated.
>
> If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy.
![Device status blade screenshot](../windows-defender-antivirus/images/MDATP-8-IntuneAppInfo.png)
@ -311,7 +327,7 @@ You need no special provisioning for a Mac device beyond a standard [Company Por
![Client apps screenshot](../windows-defender-antivirus/images/MDATP-10-ClientApps.png)
9. Change **Assignment type** to **Required**.
10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
![Intune assignments info screenshot](../windows-defender-antivirus/images/MDATP-11-Assignments.png)
@ -341,7 +357,7 @@ Solution: Follow the steps above to create a device profile using WindowsDefende
## Logging installation issues
For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](mac-resources.md#logging-installation-issues) .
For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](mac-resources.md#logging-installation-issues).
## Uninstallation

47
windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
View File

@ -15,6 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/10/2020
---
# JAMF-based deployment for Microsoft Defender ATP for Mac
@ -24,11 +25,12 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps:
- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
- [Create JAMF policies](#create-jamf-policies)
- [Client device setup](#client-device-setup)
- [Deployment](#deployment)
- [Check onboarding status](#check-onboarding-status)
1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
1. [Create JAMF policies](#create-jamf-policies)
1. [Client device setup](#client-device-setup)
1. [Deployment](#deployment)
1. [Check onboarding status](#check-onboarding-status)
## Prerequisites and system requirements
@ -36,6 +38,19 @@ Before you get started, please see [the main Microsoft Defender ATP for Mac page
In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow.
## Overview
The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender ATP for Macs, via JAMF. More detailed steps are available below.
| Step | Sample file names | BundleIdentifier |
|-|-|-|
| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#property-list-for-jamf-configuration-profile-1)<br/><br/> **Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.plist | com.microsoft.wdav |
| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#notification-settings) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.wdavtray |
| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#jamf) | MDATP_Microsoft_AutoUpdate.mobileconfig | com.microsoft.autoupdate2 |
| [Grant Full Disk Access to Microsoft Defender ATP](#privacy-preferences-policy-control) | Note: If there was one, MDATP_tcc_Catalina_or_newer.plist | com.microsoft.wdav.tcc |
| [Approve Kernel Extension for Microsoft Defender ATP](#approved-kernel-extension) | Note: If there was one, MDATP_KExt.plist | N/A |
## Download installation and onboarding packages
Download the installation and onboarding packages from Microsoft Defender Security Center:
@ -43,16 +58,16 @@ Download the installation and onboarding packages from Microsoft Defender Securi
1. In Microsoft Defender Security Center, go to **Settings > Machine management > Onboarding**.
2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android**.
3. Set the deployment method to **Mobile Device Management / Microsoft Intune**.
>[!NOTE]
>Jamf falls under **Mobile Device Management**.
> [!NOTE]
> Jamf falls under **Mobile Device Management**.
4. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
5. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
![Microsoft Defender Security Center screenshot](../windows-defender-antivirus/images/jamf-onboarding.png)
5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so:
6. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so:
```bash
$ ls -l
@ -73,17 +88,18 @@ You need to create a configuration profile and a policy to start deploying Micro
### Configuration Profile
The configuration profile contains a custom settings payload that includes:
The configuration profile contains a custom settings payload that includes the following:
- Microsoft Defender ATP for Mac onboarding information
- Approved Kernel Extensions payload, to enable running the Microsoft kernel driver
- Approved Kernel Extensions payload to enable running the Microsoft kernel driver
To set the onboarding information, add a property list file that is named **jamf/WindowsDefenderATPOnboarding.plist** as a custom setting. To do this, select **Computers** > **Configuration Profiles** > **New**, and then select **Application & Custom Settings** > **Configure**. From there, you can upload the property list.
To set the onboarding information, add a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_, as a custom setting. You can do this by navigating to **Computers**>**Configuration Profiles**, selecting **New**, then choosing **Custom Settings**>**Configure**. From there, you can upload the property list.
>[!IMPORTANT]
> You must set the Preference Domain as "com.microsoft.wdav.atp"
> You have to set the **Preference Domain** to **com.microsoft.wdav.atp**. There are some changes to the Custom Payloads and also to the Jamf Pro user interface in version 10.18 and later versions. For more information about the changes, see [Configuration Profile Payload Settings Specific to Jamf Pro](https://www.jamf.com/jamf-nation/articles/217/configuration-profile-payload-settings-specific-to-jamf-pro).
![Configuration profile screenshot](../windows-defender-antivirus/images/MDATP-16-PreferenceDomain.png)
![Configuration profile screenshot](./images/msdefender-mac-config-profile.png)
### Approved Kernel Extension
@ -230,6 +246,7 @@ $ mdatp --health healthy
The above command prints "1" if the product is onboarded and functioning as expected.
If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
- 0 if the device is not yet onboarded
- 3 if the connection to the daemon cannot be established—for example, if the daemon is not running

11
windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
View File

@ -310,17 +310,6 @@ Manage the preferences of the endpoint detection and response (EDR) component of
| **Data type** | Dictionary (nested preference) |
| **Comments** | See the following sections for a description of the dictionary contents. |
#### Enable / disable early preview
Specify whether to enable EDR early preview features.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | earlyPreview |
| **Data type** | Boolean |
| **Possible values** | true (default) <br/> false |
#### Device tags
Specify a tag name and its value.

14
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
View File

@ -85,6 +85,9 @@ If you experience any installation failures, refer to [Troubleshooting installat
- Minimum kernel version 2.6.38
- The `fanotify` kernel option must be enabled
> [!CAUTION]
> Running Microsoft Defender ATP for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.
- Disk space: 650 MB
- The solution currently provides real-time protection for the following file system types:
@ -111,7 +114,7 @@ The following table lists the services and their associated URLs that your netwo
| United States | unitedstates.x.cp.wd.microsoft.com <br/> us-v20.events.data.microsoft.com <br/> ussus1eastprod.blob.core.windows.net <br/> ussus1westprod.blob.core.windows.net |
> [!NOTE]
> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server)
> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
- Transparent proxy
@ -119,7 +122,12 @@ Microsoft Defender ATP can discover a proxy server by using the following discov
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md).
For troubleshooting steps, see the [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md) page.
> [!WARNING]
> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
>
> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
For troubleshooting steps, see [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md).
## How to update Microsoft Defender ATP for Linux
@ -131,4 +139,4 @@ Guidance for how to configure the product in enterprise environments is availabl
## Resources
- For more information about logging, uninstalling, or other topics, see the [Resources](linux-resources.md) page.
- For more information about logging, uninstalling, or other topics, see [Resources](linux-resources.md).

Some files were not shown because too many files have changed in this diff Show More