The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for).
The data type is integer. Supported operation is Get and Replace. -**InBoxApps/Connect** +**InBoxApps/Connect**
Added in Windows 10, version 1703. Node for the Connect app. -**InBoxApps/Connect/AutoLaunch** +**InBoxApps/Connect/AutoLaunch**
Added in Windows 10, version 1703. Specifies whether to automatically launch the Connect app whenever a projection is initiated.
If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings.
The data type is boolean. Supported operation is Get and Replace. -**Properties** +**Properties**
Node for the device properties. -**Properties/FriendlyName** +**Properties/FriendlyName**
Friendly name of the device. Specifies the name that users see when they want to wirelessly project to the device.
The data type is string. Supported operation is Get and Replace. -**Properties/DefaultVolume** +**Properties/DefaultVolume**
Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45.
The data type is integer. Supported operation is Get and Replace. -**Properties/ScreenTimeout** -
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off. +**Properties/ScreenTimeout** +
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off.
The following table shows the permitted values. @@ -370,8 +375,8 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
The data type is integer. Supported operation is Get and Replace. -**Properties/SessionTimeout** -
Added in Windows 10, version 1703. Specifies the number of minutes until the session times out. +**Properties/SessionTimeout** +
Added in Windows 10, version 1703. Specifies the number of minutes until the session times out.
The following table shows the permitted values. @@ -422,8 +427,8 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
The data type is integer. Supported operation is Get and Replace. -**Properties/SleepTimeout** -
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode. +**Properties/SleepTimeout** +
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode.
The following table shows the permitted values. @@ -479,58 +484,49 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
Valid values: -- 0 - Connected Standby (default) -- 1 - Hibernate +- 0 - Connected Standby (default) +- 1 - Hibernate
The data type is integer. Supported operation is Get and Replace. -**Properties/AllowSessionResume** -
Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. +**Properties/AllowSessionResume** +
Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. -
If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated. +
If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated.
The data type is boolean. Supported operation is Get and Replace. -**Properties/AllowAutoProxyAuth** +**Properties/AllowAutoProxyAuth**
Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication.
If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
The data type is boolean. Supported operation is Get and Replace. -**Properties/DisableSigninSuggestions** -
Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. +**Properties/DisableSigninSuggestions** +
Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.
If this setting is true, the sign-in dialog will not be populated. If false, the dialog will auto-populate.
The data type is boolean. Supported operation is Get and Replace. -**Properties/DoNotShowMyMeetingsAndFiles** +**Properties/DoNotShowMyMeetingsAndFiles**
Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365.
If this setting is true, the “My meetings and files” feature will not be shown. When false, the “My meetings and files” feature will be shown.
The data type is boolean. Supported operation is Get and Replace. -**MOMAgent** +**MOMAgent**
Node for the Microsoft Operations Management Suite. -**MOMAgent/WorkspaceID** +**MOMAgent/WorkspaceID**
GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent.
The data type is string. Supported operation is Get and Replace. -**MOMAgent/WorkspaceKey** +**MOMAgent/WorkspaceKey**
Primary key for authenticating with the workspace.
The data type is string. Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string.
-
-
-
-
-
-
-
-
-
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index b4324b1297..0a784d5c01 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -37,7 +37,7 @@
"audience": "ITPro",
"ms.topic": "article",
"feedback_system": "None",
- "hideEdit": true,
+ "hideEdit": false,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-configuration",
@@ -45,6 +45,15 @@
}
},
"titleSuffix": "Configure Windows",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
"searchScope": ["Windows 10"]
},
"fileMetadata": {},
diff --git a/windows/configure/docfx.json b/windows/configure/docfx.json
index 3dcf319a94..a7f9b909e9 100644
--- a/windows/configure/docfx.json
+++ b/windows/configure/docfx.json
@@ -36,7 +36,16 @@
"./": {
"depot_name": "MSDN.windows-configure"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/deploy/docfx.json b/windows/deploy/docfx.json
index e287ca8721..58a98d4813 100644
--- a/windows/deploy/docfx.json
+++ b/windows/deploy/docfx.json
@@ -35,7 +35,16 @@
"depot_name": "MSDN.windows-deploy",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index ebdcfa1363..0cea204292 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -18,8 +18,8 @@ ms.custom: seo-marvel-apr2020
# What's new in Windows 10 deployment
-**Applies to**
-- Windows 10
+**Applies to:**
+- Windows 10
## In this topic
@@ -43,10 +43,10 @@ The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/
## Microsoft 365
-Microsoft 365 is a new offering from Microsoft that combines
+Microsoft 365 is a new offering from Microsoft that combines
- Windows 10
- Office 365
-- Enterprise Mobility and Security (EMS).
+- Enterprise Mobility and Security (EMS).
See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [M365 Enterprise poster](deploy-m365.md#m365-enterprise-poster).
@@ -61,16 +61,16 @@ Windows PowerShell cmdlets for Delivery Optimization have been improved:
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting.
Additional improvements in [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) include:
-- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
+- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
- Automatic cloud-based congestion detection is available for PCs with cloud service support.
-- Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon!
+- Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates and Intune content, with Microsoft Endpoint Manager content coming soon!
The following Delivery Optimization policies are removed in the Windows 10, version 2004 release:
- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
- Reason: Replaced with separate policies for foreground and background
- Max Upload Bandwidth (DOMaxUploadBandwidth)
- - Reason: impacts uploads to internet peers only, which isn't used in Enterprises.
+ - Reason: impacts uploads to internet peers only, which isn't used in enterprises.
- Absolute max throttle (DOMaxDownloadBandwidth)
- Reason: separated to foreground and background
@@ -80,10 +80,10 @@ The following Delivery Optimization policies are removed in the Windows 10, vers
- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds.
-- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
-- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
+- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
+- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
-- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
+- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
- **Improved update notifications**: When there's an update requiring you to restart your device, you'll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
@@ -104,7 +104,7 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris
### Windows Autopilot
-[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices.
+[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose, and recover devices.
With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
@@ -116,7 +116,7 @@ The following Windows Autopilot features are available in Windows 10, version 19
- The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
- [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
+- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
### Microsoft Endpoint Configuration Manager
@@ -138,11 +138,11 @@ During the upgrade process, Windows Setup will extract all its sources files to
### Upgrade Readiness
-The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
+The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
+Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
-The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
+The development of Upgrade Readiness has been heavily influenced by input from the community; the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
For more information about Upgrade Readiness, see the following topics:
@@ -164,7 +164,7 @@ Device Health is the newest Windows Analytics solution that complements the exis
### MBR2GPT
-MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
+MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
@@ -183,14 +183,14 @@ The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can
Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004).
-
+
Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
## Testing and validation guidance
### Windows 10 deployment proof of concept (PoC)
-The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup.
+The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup.
For more information, see the following guides:
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 5c8972471b..2779d317f6 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -147,7 +147,7 @@ On **MDT01**:
9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**.
10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**.
-
+
The Adobe Reader application added to the Deployment Workbench.
@@ -267,7 +267,7 @@ On **MDT01**:
For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6.
-
+
To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
@@ -361,6 +361,9 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh
### Configure the rules
+> [!NOTE]
+> The following instructions assume the device is online. If you're offline you can remove SLShare variable.
+
On **MDT01**:
1. Right-click the **MDT Production** deployment share and select **Properties**.
@@ -533,7 +536,7 @@ On **MDT01**:
1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\
-In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
+In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automated investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
-- [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
-- [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
-- [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
+- [Get an overview of automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
+- [Learn about automation levels](microsoft-defender-atp/automation-levels.md)
+- [Configure automated investigation and remediation in Defender for Endpoint](microsoft-defender-atp/configure-automated-investigations-remediation.md)
+- [Visit the Action center to see remediation actions](microsoft-defender-atp/auto-investigation-action-center.md)
+- [Review remediation actions following an automated investigation](microsoft-defender-atp/manage-auto-investigation.md)
+- [View the details and results of an automated investigation](microsoft-defender-atp/autoir-investigation-results.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
index 75911ebb62..c04445eb32 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
@@ -1,8 +1,8 @@
---
-title: Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019
+title: Configure Microsoft Defender Antivirus exclusions on Windows Server
ms.reviewer:
manager: dansimp
-description: Windows Servers 2016 and 2019 include automatic exclusions, based on server role. You can also add custom exclusions.
+description: Windows Server includes automatic exclusions, based on server role. You can also add custom exclusions.
keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
@@ -14,6 +14,7 @@ author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.technology: mde
+ms.date: 02/10/2021
---
# Configure Microsoft Defender Antivirus exclusions on Windows Server
@@ -24,8 +25,7 @@ ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
+Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
> [!NOTE]
> Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
@@ -36,33 +36,29 @@ In addition to server role-defined automatic exclusions, you can add or remove c
## A few points to keep in mind
+Keep the following important points in mind:
+
- Custom exclusions take precedence over automatic exclusions.
-
- Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
-
- Custom and duplicate exclusions do not conflict with automatic exclusions.
-
- Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
## Opt out of automatic exclusions
-In Windows Server 2016 and 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
+In Windows Server 2016 and Windows Server 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
> [!WARNING]
-> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles.
+> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and Windows Server 2019 roles.
Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-microsoft-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) .
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
-### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and 2019
+### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019
1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then click **Edit**.
-
2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**.
-
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
-
4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**.
### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016 and 2019
@@ -73,11 +69,12 @@ Use the following cmdlets:
Set-MpPreference -DisableAutoExclusions $true
```
-[Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md).
+To learn more, see the following resources:
-[Use PowerShell with Microsoft Defender Antivirus](https://docs.microsoft.com/powershell/module/defender/).
+- [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md).
+- [Use PowerShell with Microsoft Defender Antivirus](https://docs.microsoft.com/powershell/module/defender/).
-### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and 2019
+### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019
Use the **Set** method of the [MSFT_MpPreference](https://docs.microsoft.com/previous-versions/windows/desktop/defender/msft-mppreference) class for the following properties:
@@ -96,54 +93,42 @@ The following sections contain the exclusions that are delivered with automatic
This section lists the default exclusions for all Windows Server 2016 and 2019 roles.
+> [!NOTE]
+> The default locations could be different than what's listed in this article.
+
#### Windows "temp.edb" files
- `%windir%\SoftwareDistribution\Datastore\*\tmp.edb`
-
- `%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log`
#### Windows Update files or Automatic Update files
- `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb`
-
- `%windir%\SoftwareDistribution\Datastore\*\edb.chk`
-
- `%windir%\SoftwareDistribution\Datastore\*\edb\*.log`
-
- `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs`
-
- `%windir%\SoftwareDistribution\Datastore\*\Res\*.log`
#### Windows Security files
- `%windir%\Security\database\*.chk`
-
- `%windir%\Security\database\*.edb`
-
- `%windir%\Security\database\*.jrs`
-
- `%windir%\Security\database\*.log`
-
- `%windir%\Security\database\*.sdb`
#### Group Policy files
- `%allusersprofile%\NTUser.pol`
-
- `%SystemRoot%\System32\GroupPolicy\Machine\registry.pol`
-
- `%SystemRoot%\System32\GroupPolicy\User\registry.pol`
#### WINS files
- `%systemroot%\System32\Wins\*\*.chk`
-
- `%systemroot%\System32\Wins\*\*.log`
-
- `%systemroot%\System32\Wins\*\*.mdb`
-
- `%systemroot%\System32\LogFiles\`
-
- `%systemroot%\SysWow64\LogFiles\`
#### File Replication Service (FRS) exclusions
@@ -151,9 +136,7 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
- `%windir%\Ntfrs\jet\sys\*\edb.chk`
-
- `%windir%\Ntfrs\jet\*\Ntfrs.jdb`
-
- `%windir%\Ntfrs\jet\log\*\*.log`
- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ntfrs\Parameters\DB Log File Directory`
@@ -174,33 +157,21 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
> For custom locations, see [Opt out of automatic exclusions](#opt-out-of-automatic-exclusions).
- `%systemdrive%\System Volume Information\DFSR\$db_normal$`
-
- `%systemdrive%\System Volume Information\DFSR\FileIDTable_*`
-
- `%systemdrive%\System Volume Information\DFSR\SimilarityTable_*`
-
- `%systemdrive%\System Volume Information\DFSR\*.XML`
-
- `%systemdrive%\System Volume Information\DFSR\$db_dirty$`
-
- `%systemdrive%\System Volume Information\DFSR\$db_clean$`
-
- `%systemdrive%\System Volume Information\DFSR\$db_lostl$`
-
- `%systemdrive%\System Volume Information\DFSR\Dfsr.db`
-
- `%systemdrive%\System Volume Information\DFSR\*.frx`
-
- `%systemdrive%\System Volume Information\DFSR\*.log`
-
- `%systemdrive%\System Volume Information\DFSR\Fsr*.jrs`
-
- `%systemdrive%\System Volume Information\DFSR\Tmp.edb`
#### Process exclusions
- `%systemroot%\System32\dfsr.exe`
-
- `%systemroot%\System32\dfsrs.exe`
#### Hyper-V exclusions
@@ -214,23 +185,16 @@ The following table lists the file type exclusions, folder exclusions, and proce
#### SYSVOL files
- `%systemroot%\Sysvol\Domain\*.adm`
-
- `%systemroot%\Sysvol\Domain\*.admx`
-
- `%systemroot%\Sysvol\Domain\*.adml`
-
- `%systemroot%\Sysvol\Domain\Registry.pol`
-
- `%systemroot%\Sysvol\Domain\*.aas`
-
- `%systemroot%\Sysvol\Domain\*.inf`
-
-- `%systemroot%\Sysvol\Domain\*.Scripts.ini`
-
+- `%systemroot%\Sysvol\Domain\*Scripts.ini`
- `%systemroot%\Sysvol\Domain\*.ins`
-
- `%systemroot%\Sysvol\Domain\Oscfilter.ini`
+
### Active Directory exclusions
This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
@@ -240,7 +204,6 @@ This section lists the exclusions that are delivered automatically when you inst
The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
- `%windir%\Ntds\ntds.dit`
-
- `%windir%\Ntds\ntds.pat`
#### The AD DS transaction log files
@@ -248,13 +211,9 @@ The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\
The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
- `%windir%\Ntds\EDB*.log`
-
- `%windir%\Ntds\Res*.log`
-
- `%windir%\Ntds\Edb*.jrs`
-
- `%windir%\Ntds\Ntds*.pat`
-
- `%windir%\Ntds\TEMP.edb`
#### The NTDS working folder
@@ -262,13 +221,11 @@ The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\
This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
- `%windir%\Ntds\Temp.edb`
-
- `%windir%\Ntds\Edb.chk`
#### Process exclusions for AD DS and AD DS-related support files
- `%systemroot%\System32\ntfrs.exe`
-
- `%systemroot%\System32\lsass.exe`
### DHCP Server exclusions
@@ -276,13 +233,9 @@ This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentC
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
- `%systemroot%\System32\DHCP\*\*.mdb`
-
- `%systemroot%\System32\DHCP\*\*.pat`
-
- `%systemroot%\System32\DHCP\*\*.log`
-
- `%systemroot%\System32\DHCP\*\*.chk`
-
- `%systemroot%\System32\DHCP\*\*.edb`
### DNS Server exclusions
@@ -292,11 +245,8 @@ This section lists the file and folder exclusions and the process exclusions tha
#### File and folder exclusions for the DNS Server role
- `%systemroot%\System32\Dns\*\*.log`
-
- `%systemroot%\System32\Dns\*\*.dns`
-
- `%systemroot%\System32\Dns\*\*.scc`
-
- `%systemroot%\System32\Dns\*\BOOT`
#### Process exclusions for the DNS Server role
@@ -308,9 +258,7 @@ This section lists the file and folder exclusions and the process exclusions tha
This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
- `%SystemDrive%\ClusterStorage`
-
- `%clusterserviceaccount%\Local Settings\Temp`
-
- `%SystemDrive%\mscs`
### Print Server exclusions
@@ -320,7 +268,6 @@ This section lists the file type exclusions, folder exclusions, and the process
#### File type exclusions
- `*.shd`
-
- `*.spl`
#### Folder exclusions
@@ -340,36 +287,49 @@ This section lists the folder exclusions and the process exclusions that are del
#### Folder exclusions
- `%SystemRoot%\IIS Temporary Compressed Files`
-
- `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files`
-
- `%SystemDrive%\inetpub\temp\ASP Compiled Templates`
-
- `%systemDrive%\inetpub\logs`
-
- `%systemDrive%\inetpub\wwwroot`
#### Process exclusions
- `%SystemRoot%\system32\inetsrv\w3wp.exe`
-
- `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe`
-
- `%SystemDrive%\PHP5433\php-cgi.exe`
+#### Turning off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder
+
+The current location of the `Sysvol\Sysvol` or `SYSVOL_DFSR\Sysvol` folder and all the subfolders is the file system reparse target of the replica set root. The `Sysvol\Sysvol` and `SYSVOL_DFSR\Sysvol` folders use the following locations by default:
+
+- `%systemroot%\Sysvol\Domain`
+- `%systemroot%\Sysvol_DFSR\Domain`
+
+The path to the currently active `SYSVOL` is referenced by the NETLOGON share and can be determined by the SysVol value name in the following subkey: `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters`
+
+Exclude the following files from this folder and all its subfolders:
+
+- `*.adm`
+- `*.admx`
+- `*.adml`
+- `Registry.pol`
+- `Registry.tmp`
+- `*.aas`
+- `*.inf`
+- `Scripts.ini`
+- `*.ins`
+- `Oscfilter.ini`
+
### Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
- `%systemroot%\WSUS\WSUSContent`
-
- `%systemroot%\WSUS\UpdateServicesDBFiles`
-
- `%systemroot%\SoftwareDistribution\Datastore`
-
- `%systemroot%\SoftwareDistribution\Download`
-## Related articles
+## See also
- [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index 0d5c3a2ccf..e95120c0b6 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: pahuijbr
manager: dansimp
-ms.date: 02/04/2021
+ms.date: 02/12/2021
ms.technology: mde
---
@@ -78,11 +78,11 @@ All our updates contain
January-2021 (Platform: 4.18.2101.8 | Engine: 1.1.17800.5)
+ January-2021 (Platform: 4.18.2101.9 | Engine: 1.1.17800.5)
Security intelligence update version: **1.327.1854.0**
Released: **February 2, 2021**
- Platform: **4.18.2101.8**
+ Platform: **4.18.2101.9**
Engine: **1.1.17800.5**
Support phase: **Security and Critical Updates**
@@ -93,6 +93,7 @@ All our updates contain
- Increased visibility for credential stealing attempts
- Improvements in antitampering features in Microsoft Defender Antivirus services
- Improved support for ARM x64 emulation
+- Fix: EDR Block notification remains in threat history after real-time protection performed initial detection
### Known Issues
No known issues
@@ -146,7 +147,7 @@ After a new package version is released, support for the previous two versions i
Released: **October 01, 2020**
Platform: **4.18.2009.7**
Engine: **1.1.17500.4**
- Support phase: **Security and Critical Updates**
+ Support phase: **Technical upgrade support (only)**
### What's new
@@ -172,7 +173,8 @@ No known issues
Released: **August 27, 2020**
Platform: **4.18.2008.9**
Engine: **1.1.17400.5**
-
+ Support phase: **Technical upgrade support (only)**
+
### What's new
- Add more telemetry events
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index 20419165db..20a13881ec 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: tewchen, pahuijbr, shwjha
manager: dansimp
-ms.date: 01/27/2021
+ms.date: 02/09/2021
ms.technology: mde
---
@@ -43,8 +43,8 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh
| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatically disabled mode |
| Windows 10 | Microsoft Defender Antivirus | Yes | Active mode |
| Windows 10 | Microsoft Defender Antivirus | No | Active mode |
-| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode [[1](#fn1)] |
-| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No | Must be set to passive mode (manually) [[1](#fn1)] |
+| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Must be set to passive mode (manually) [[1](#fn1)] |
+| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually) [[2](#fn2)] |
| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | Yes | Active mode |
| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | No | Active mode |
| Windows Server 2016 | Microsoft Defender Antivirus | Yes | Active mode |
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
index 427ebf59db..81bb63ed13 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
@@ -30,12 +30,9 @@ In Windows 10, version 1703 and later, the Windows Defender app is part of the W
Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
> [!IMPORTANT]
-> Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
->
-> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
->
-> It may also prevent Microsoft Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
->
+> Disabling the Windows Security Center service does not disable Microsoft Defender Antivirus or [Windows Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
+> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app might display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+> It might also prevent Microsoft Defender Antivirus from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you might have previously installed.
> This will significantly lower the protection of your device and could lead to malware infection.
See the [Windows Security article](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
@@ -44,12 +41,11 @@ The Windows Security app is a client interface on Windows 10, version 1703 and l
## Review virus and threat protection settings in the Windows Security app
+
+
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
- 
-
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
## Comparison of settings and functions of the old app and the new app
All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app.
@@ -60,13 +56,13 @@ The following diagrams compare the location of settings and functions between th
-Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | Description
----|---|---|---
-1 | **Update** tab | **Protection updates** | Update the protection (Security intelligence)
-2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed
-3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission
-4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Microsoft Defender Offline scan
-5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option
+| Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | Description |
+|:---|:---|:---|:---|
+| 1 | **Update** tab | **Protection updates** | Update the protection (Security intelligence) |
+| 2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed |
+| 3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission |
+| 4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Microsoft Defender Antivirus Offline scan |
+| 5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option |
## Common tasks
@@ -80,55 +76,41 @@ This section describes how to perform some of the most common tasks when reviewi
### Run a scan with the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
-3. Click **Scan now**.
-
-4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan.
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+3. Select **Scan now**.
+4. Select **Run a new advanced scan** to specify different types of scans, such as a full scan.
### Review the security intelligence update version and download the latest updates in the Windows Security app
+
+
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
-3. Click **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version.
-
- 
-
-4. Click **Check for updates** to download new protection updates (if there are any).
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+3. Select **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version.
+4. Select **Check for updates** to download new protection updates (if there are any).
### Ensure Microsoft Defender Antivirus is enabled in the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
-3. Click **Virus & threat protection settings**.
-
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+3. Select **Virus & threat protection settings**.
4. Toggle the **Real-time protection** switch to **On**.
> [!NOTE]
> If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.
- >
- > If you install another antivirus product, Microsoft Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md).
+ > If you install another antivirus product, Microsoft Defender Antivirus automatically disables itself and is indicated as such in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md).
### Add exclusions for Microsoft Defender Antivirus in the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
-3. Click **Virus & threat protection settings**.
-
-4. Under the **Exclusions** setting, click **Add or remove exclusions**.
-
-5. Click the plus icon to choose the type and set the options for each exclusion.
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+3. Under the **Manage settings**, select **Virus & threat protection settings**.
+4. Under the **Exclusions** setting, select **Add or remove exclusions**.
+5. Select the plus icon (**+**) to choose the type and set the options for each exclusion.
The following table summarizes exclusion types and what happens:
@@ -140,34 +122,26 @@ The following table summarizes exclusion types and what happens:
|**File type** |File extension
Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Microsoft Defender Antivirus. |
|**Process** |Executable file path
Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. |
-To learn more, see:
+To learn more, see the following resources:
- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus)
- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus)
### Review threat detection history in the Windows Defender Security Center app
- 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
- 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
- 3. Click **Threat history**
-
- 4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+3. Select **Threat history**
+4. Select **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
### Set ransomware protection and recovery options
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
-3. Click **Ransomware protection**.
-
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+3. Select **Ransomware protection**.
4. To change Controlled folder access settings, see [Protect important folders with Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard).
+5. To set up ransomware recovery options, select **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack.
-5. To set up ransomware recovery options, click **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack.
-
-## Related articles
-
+## See also
- [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 4a620da214..a4354b5403 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -98,7 +98,7 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
1. Make sure your organization meets all of the following requirements to use Intune to manage tamper protection:
- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.)
- - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).)
+ - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information).)
- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
- Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
@@ -122,7 +122,7 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
### Are you using Windows OS 1709, 1803, or 1809?
-If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled.
+If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled.
#### Use PowerShell to determine whether tamper protection is turned on
@@ -186,7 +186,7 @@ To learn more about Threat & Vulnerability Management, see [Threat & Vulnerabili
### To which Windows OS versions is configuring tamper protection is applicable?
-Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
+Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
If you are using Configuration Manager, version 2006, with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
index 309c56967a..0230069f42 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@@ -31,7 +31,13 @@ ms.technology: mde
Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Defender for Endpoint with.
-Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
+## Enable advanced features
+
+1. In the navigation pane, select **Preferences setup** > **Advanced features**.
+2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
+3. Click **Save preferences**.
+
+Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations.
## Automated investigation
@@ -121,22 +127,6 @@ The integration with Azure Advanced Threat Protection allows you to pivot direct
>[!NOTE]
>You'll need to have the appropriate license to enable this feature.
-## Microsoft Secure Score
-
-Forwards Defender for Endpoint signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data.
-
-### Enable the Defender for Endpoint integration from the Azure ATP portal
-
-To receive contextual device integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
-
-1. Log in to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
-
-2. Click **Create your instance**.
-
-3. Toggle the Integration setting to **On** and click **Save**.
-
-After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page.
-
## Office 365 Threat Intelligence connection
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
@@ -166,6 +156,22 @@ Enabling this setting forwards Defender for Endpoint signals to Microsoft Cloud
Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded devices and device risk ratings.
+## Microsoft Secure Score
+
+Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data.
+
+### Enable the Microsoft Defender ATP integration from the Azure ATP portal
+
+To receive contextual device integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
+
+1. Log in to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
+
+2. Click **Create your instance**.
+
+3. Toggle the Integration setting to **On** and click **Save**.
+
+After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page.
+
## Microsoft Intune connection
Defender for Endpoint can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Defender for Endpoint device information with Intune, enhancing policy enforcement.
@@ -185,7 +191,6 @@ When you enable Intune integration, Intune will automatically create a classic C
>[!NOTE]
> The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints.
-
## Preview features
Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience.
@@ -198,12 +203,6 @@ Forwards endpoint security alerts and their triage status to Microsoft Complianc
After configuring the [Security policy violation indicators](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings.md#indicators) in the insider risk management settings, Defender for Endpoint alerts will be shared with insider risk management for applicable users.
-## Enable advanced features
-
-1. In the navigation pane, select **Preferences setup** > **Advanced features**.
-2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
-3. Click **Save preferences**.
-
## Related topics
- [Update data retention settings](data-retention-settings.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
index 10c0077521..bcfca19802 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@@ -81,24 +81,24 @@ We've redefined the alert categories to align to the [enterprise attack tactics]
The table below lists the current categories and how they generally map to previous categories.
-| New category | Previous categories | Detected threat activity or component |
-|----------------------|----------------------|-------------|
-| Collection | - | Locating and collecting data for exfiltration |
-| Command and control | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands |
-| Credential access | CredentialTheft | Obtaining valid credentials to extend control over devices and other resources in the network |
-| Defense evasion | - | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits |
-| Discovery | Reconnaissance, WebFingerprinting | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers |
-| Execution | Delivery, MalwareDownload | Launching attacker tools and malicious code, including RATs and backdoors |
-| Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location |
-| Exploit | Exploit | Exploit code and possible exploitation activity |
-| Initial access | SocialEngineering, WebExploit, DocumentExploit | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails |
-| Lateral movement | LateralMovement, NetworkPropagation | Moving between devices in the target network to reach critical resources or gain network persistence |
-| Malware | Malware, Backdoor, Trojan, TrojanDownloader, CredentialStealing, Weaponization, RemoteAccessTool | Backdoors, trojans, and other types of malicious code |
-| Persistence | Installation, Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts |
-| Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account |
-| Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access |
-| Suspicious activity | General, None, NotApplicable, EnterprisePolicy, SuspiciousNetworkTraffic | Atypical activity that could be malware activity or part of an attack |
-| Unwanted software | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) |
+| New category | API category name | Detected threat activity or component |
+|----------------------|---------------------|-----------------------------------------------------------------------------------------------------------------------------------------|
+| Collection | Collection | Locating and collecting data for exfiltration |
+| Command and control | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands |
+| Credential access | CredentialAccess | Obtaining valid credentials to extend control over devices and other resources in the network |
+| Defense evasion | DefenseEvasion | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits |
+| Discovery | Discovery | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers |
+| Execution | Execution | Launching attacker tools and malicious code, including RATs and backdoors |
+| Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location |
+| Exploit | Exploit | Exploit code and possible exploitation activity |
+| Initial access | InitialAccess | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails |
+| Lateral movement | LateralMovement | Moving between devices in the target network to reach critical resources or gain network persistence |
+| Malware | Malware | Backdoors, trojans, and other types of malicious code |
+| Persistence | Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts |
+| Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account |
+| Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access |
+| Suspicious activity | SuspiciousActivity | Atypical activity that could be malware activity or part of an attack |
+| Unwanted software | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) |
### Status
@@ -124,6 +124,22 @@ Select the source that triggered the alert detection. Microsoft Threat Experts p
>[!NOTE]
>The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product.
+| Detection source | API value |
+|-----------------------------------|----------------------------|
+| 3rd party sensors | ThirdPartySensors |
+| Antivirus | WindowsDefenderAv |
+| Automated investigation | AutomatedInvestigation |
+| Custom detection | CustomDetection |
+| Custom TI | CustomerTI |
+| EDR | WindowsDefenderAtp |
+| Microsoft 365 Defender | MTP |
+| Microsoft Defender for Office 365 | OfficeATP |
+| Microsoft Threat Experts | ThreatExperts |
+| SmartScreen | WindowsDefenderSmartScreen |
+
+
+
+
### OS platform
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
index 8cb3df6be0..a9c6b01922 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@@ -38,6 +38,7 @@ Method |Return Type |Description
[Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object.
[List alerts](get-alerts.md) | [Alert](alerts.md) collection | List [alert](alerts.md) collection.
[Update alert](update-alert.md) | [Alert](alerts.md) | Update specific [alert](alerts.md).
+[Batch update alerts](batch-update-alerts.md) | | Update a batch of [alerts](alerts.md).
[Create alert](create-alert-by-reference.md)|[Alert](alerts.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md).
[List related domains](get-alert-related-domain-info.md)|Domain collection| List URLs associated with the alert.
[List related files](get-alert-related-files-info.md) | [File](files.md) collection | List the [file](files.md) entities that are associated with the [alert](alerts.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index 3ffff68987..eaee14028a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -107,7 +107,7 @@ You can set attack surface reduction rules for devices that are running any of t
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
+Although attack surface reduction rules don't require a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), if you have Windows E5, you get advanced management capabilities. These capabilities available only in Windows E5 include monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with a Windows Professional or Windows E3 license; however, if you do have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events.
## Review attack surface reduction events in the Microsoft Defender Security Center
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index d87c77cf0c..dc1cd47378 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -94,4 +94,4 @@ Currently, AIR only supports the following OS versions:
- [PUA protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)
- [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
-- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
+- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/batch-update-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/batch-update-alerts.md
new file mode 100644
index 0000000000..2b93144552
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/batch-update-alerts.md
@@ -0,0 +1,108 @@
+---
+title: Batch Update alert entities API
+description: Learn how to update Microsoft Defender for Endpoint alerts in a batch by using this API. You can update the status, determination, classification, and assignedTo properties.
+keywords: apis, graph api, supported apis, get, alert, information, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.technology: mde
+---
+
+# Batch update alerts
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
+
+[!include[Improve request performance](../../includes/improve-request-performance.md)]
+
+
+## API description
+Updates properties of a batch of existing [Alerts](alerts.md).
+
Submission of **comment** is available with or without updating properties.
+
Updatable properties are: `status`, `determination`, `classification` and `assignedTo`.
+
+
+## Limitations
+1. You can update alerts that are available in the API. See [List Alerts](get-alerts.md) for more information.
+2. Rate limitations for this API are 10 calls per minute and 500 calls per hour.
+
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Alerts.ReadWrite.All | 'Read and write all alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information)
+>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+
+## HTTP request
+```http
+POST /api/alerts/batchUpdate
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | String | application/json. **Required**.
+
+
+## Request body
+In the request body, supply the IDs of the alerts to be updated and the values of the relevant fields that you wish to update for these alerts.
+
Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.
+
For best performance you shouldn't include existing values that haven't changed.
+
+Property | Type | Description
+:---|:---|:---
+alertIds | List<String>| A list of the IDs of the alerts to be updated. **Required**
+status | String | Specifies the updated status of the specified alerts. The property values are: 'New', 'InProgress' and 'Resolved'.
+assignedTo | String | Owner of the specified alerts
+classification | String | Specifies the specification of the specified alerts. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'.
+determination | String | Specifies the determination of the specified alerts. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
+comment | String | Comment to be added to the specified alerts.
+
+## Response
+If successful, this method returns 200 OK, with an empty response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```http
+POST https://api.securitycenter.microsoft.com/api/alerts/batchUpdate
+```
+
+```json
+{
+ "alertIds": ["da637399794050273582_760707377", "da637399989469816469_51697947354"],
+ "status": "Resolved",
+ "assignedTo": "secop2@contoso.com",
+ "classification": "FalsePositive",
+ "determination": "Malware",
+ "comment": "Resolve my alert and assign to secop2"
+}
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 7eb2606edf..bd29f01bd5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -26,9 +26,8 @@ ms.technology: mde
**Applies to:**
- Virtual desktop infrastructure (VDI) devices
+- Windows 10, Windows Server 2019, Windows Server 2008R2/2012R2/2016
->[!WARNING]
-> Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-user scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However single session scenarios on Windows Virtual Desktop are fully supported.
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
@@ -60,6 +59,9 @@ The following steps will guide you through onboarding VDI devices and will highl
>[!WARNING]
> For environments where there are low resource configurations, the VDI boot procedure might slow the Defender for Endpoint sensor onboarding.
+
+### For Windows 10 or Windows Server 2019
+
1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
1. In the navigation pane, select **Settings** > **Onboarding**.
@@ -110,6 +112,14 @@ The following steps will guide you through onboarding VDI devices and will highl
7. Use the search function by entering the device name and select **Device** as search type.
+
+## For downlevel SKUs
+1. Set registry value 'HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging|VDI’ to “NonPersistent'
+
+2. Follow the [server onboarding process](configure-server-endpoints.md#windows-server-2008-r2-sp1-windows-server-2012-r2-and-windows-server-2016).
+
+
+
## Updating non-persistent virtual desktop infrastructure (VDI) images
As a best practice, we recommend using offline servicing tools to patch golden/master images.
For example, you can use the below commands to install an update while the image remains offline:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 6a64647a0c..78039bd903 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -11,7 +11,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
-ms.date: 01/27/2021
+ms.date: 02/11/2021
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -280,8 +280,6 @@ Check your cloud-delivered protection level for Microsoft Defender Antivirus. By
> [!TIP]
> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus).
-We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivered protection settings.
-
We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to edit or set your cloud-delivered protection settings; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)).
#### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings (for existing policies)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index c34737f912..ecfeae4239 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -33,7 +33,7 @@ Each ASR rule contains one of three settings:
- Block: Enable the ASR rule
- Audit: Evaluate how the ASR rule would impact your organization if enabled
-To use ASR rules, you must have either a Windows 10 Enterprise E3 or E5 license. We recommend E5 licenses so you can take advantage of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Defender for Endpoint). Advanced monitoring and reporting capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
+It's highly recommended you use ASR rules with a Windows E5 license (or similar licensing SKU) to take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Defender for Endpoint). However, for other licenses like Windows Professional or E3 that don't have access to advanced monitoring and reporting capabilities, you can develop your own monitoring and reporting tools on top of the events that are generated at each endpoint when ASR rules are triggered (e.g., Event Forwarding).
> [!TIP]
> To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
index 8687fe08c9..3ae9907010 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
@@ -40,10 +40,18 @@ Learn how to evaluate attack surface reduction rules by enabling audit mode to t
Enable attack surface reduction rules in audit mode to view a record of apps that would have been blocked if the feature was fully enabled. Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how often the rules will fire during normal use.
-To enable all attack surface reduction rules in audit mode, use the following PowerShell cmdlet:
+To enable an attack surface reduction rule in audit mode, use the following PowerShell cmdlet:
```PowerShell
-Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
+Add-MpPreference -AttackSurfaceReductionRules_Ids
## Portal URLs
The following are the Microsoft Defender for Endpoint portal URLs for US Government customers:
@@ -39,6 +58,7 @@ Customer type | Portal URL
:---|:---
GCC | https://gcc.securitycenter.microsoft.us
GCC High | https://securitycenter.microsoft.us
+DoD (PREVIEW) | Rolling out
@@ -47,28 +67,28 @@ GCC High | https://securitycenter.microsoft.us
### Standalone OS versions
The following OS versions are supported:
-OS version | GCC | GCC High
-:---|:---|:---
-Windows 10, version 20H2 (with [KB4586853](https://support.microsoft.com/help/4586853)) |  | 
-Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4586853)) |  | 
-Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819)) |  | 
-Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819)) |  | 
-Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839)) |  | 
-Windows 10, version 1803 (with [KB4598245](https://support.microsoft.com/help/4598245)) |  | 
-Windows 10, version 1709 | 
Note: Won't be supported |  With [KB4499147](https://support.microsoft.com/help/4499147)
Note: [Deprecated](https://docs.microsoft.com/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade
-Windows 10, version 1703 and earlier | 
Note: Won't be supported | 
Note: Won't be supported
-Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839)) |  | 
-Windows Server 2016 |  |  In development
-Windows Server 2012 R2 |  |  In development
-Windows Server 2008 R2 SP1 |  |  In development
-Windows 8.1 Enterprise |  |  In development
-Windows 8 Pro |  |  In development
-Windows 7 SP1 Enterprise |  |  In development
-Windows 7 SP1 Pro |  |  In development
-Linux |  In development |  In development
-macOS |  In development |  In development
-Android |  On engineering backlog |  On engineering backlog
-iOS |  On engineering backlog |  On engineering backlog
+OS version | GCC | GCC High | DoD (PREVIEW)
+:---|:---|:---|:---
+Windows 10, version 20H2 (with [KB4586853](https://support.microsoft.com/help/4586853)) |  |  |  Rolling out
+Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4586853)) |  |  |  Rolling out
+Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819)) |  |  |  Rolling out
+Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819)) |  |  |  Rolling out
+Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839)) |  |  |  Rolling out
+Windows 10, version 1803 (with [KB4598245](https://support.microsoft.com/help/4598245)) |  |  |  Rolling out
+Windows 10, version 1709 | 
Note: Won't be supported |  With [KB4499147](https://support.microsoft.com/help/4499147)
Note: [Deprecated](https://docs.microsoft.com/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade | 
Note: Won't be supported
+Windows 10, version 1703 and earlier | 
Note: Won't be supported | 
Note: Won't be supported | 
Note: Won't be supported
+Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839)) |  |  |  Rolling out
+Windows Server 2016 |  |  Rolling out |  Rolling out
+Windows Server 2012 R2 |  |  Rolling out |  Rolling out
+Windows Server 2008 R2 SP1 |  |  Rolling out |  Rolling out
+Windows 8.1 Enterprise |  |  Rolling out |  Rolling out
+Windows 8 Pro |  |  Rolling out |  Rolling out
+Windows 7 SP1 Enterprise |  |  Rolling out |  Rolling out
+Windows 7 SP1 Pro |  |  Rolling out |  Rolling out
+Linux |  In development |  In development |  In development
+macOS |  In development |  In development |  In development
+Android |  On engineering backlog |  On engineering backlog |  On engineering backlog
+iOS |  On engineering backlog |  On engineering backlog |  On engineering backlog
> [!NOTE]
> Where a patch is specified, it must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment.
@@ -79,11 +99,11 @@ iOS |  On engineering backlog | :
-OS version | GCC | GCC High
-:---|:---|:---
-Windows Server 2016 |  Rolling out | 
-Windows Server 2012 R2 |  Rolling out | 
-Windows Server 2008 R2 SP1 |  Rolling out | 
+OS version | GCC | GCC High | DoD (PREVIEW)
+:---|:---|:---|:---
+Windows Server 2016 |  Rolling out |  | 
+Windows Server 2012 R2 |  Rolling out |  | 
+Windows Server 2008 R2 SP1 |  Rolling out |  | 
@@ -95,14 +115,14 @@ Service location | DNS record
Common URLs for all locations (Global location) | `crl.microsoft.com`
`ctldl.windowsupdate.com`
`notify.windows.com`
`settings-win.data.microsoft.com`
Note: `settings-win.data.microsoft.com` is only needed on Windows 10 devices running version 1803 or earlier.
Common URLs for all US Gov customers | `us4-v20.events.data.microsoft.com`
`*.blob.core.usgovcloudapi.net`
Defender for Endpoint GCC specific | `winatp-gw-usmt.microsoft.com`
`winatp-gw-usmv.microsoft.com`
-Defender for Endpoint GCC High specific | `winatp-gw-usgt.microsoft.com`
`winatp-gw-usgv.microsoft.com`
+Defender for Endpoint GCC High & DoD (PREVIEW) specific | `winatp-gw-usgt.microsoft.com`
`winatp-gw-usgv.microsoft.com`
## API
Instead of the public URIs listed in our [API documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro), you'll need to use the following URIs:
-Endpoint type | GCC | GCC High
+Endpoint type | GCC | GCC High & DoD (PREVIEW)
:---|:---|:---
Login | `https://login.microsoftonline.com` | `https://login.microsoftonline.us`
Defender for Endpoint API | `https://api-gcc.securitycenter.microsoft.us` | `https://api-gov.securitycenter.microsoft.us`
@@ -111,30 +131,30 @@ SIEM | `https://wdatp-alertexporter-us.gcc.securitycenter.windows.us` | `https:/
## Feature parity with commercial
-Defender for Endpoint doesn't have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available that we'd like to highlight.
+Defender for Endpoint doesn't have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available we want to highlight.
-These are the known gaps as of January 2021:
+These are the known gaps as of February 2021:
-Feature name | GCC | GCC High
-:---|:---|:---
-Automated investigation and remediation: Live response |  |  In development
-Automated investigation and remediation: Response to Office 365 alerts |  On engineering backlog |  On engineering backlog
-Email notifications |  Rolling out |  In development
-Evaluation lab |  |  In development
-Management and APIs: Device health and compliance report |  |  In development
-Management and APIs: Integration with third-party products |  |  In development
-Management and APIs: Streaming API |  |  In development
-Management and APIs: Threat protection report |  |  In development
-Threat & vulnerability management |  |  In development
-Threat analytics |  |  In development
-Web content filtering |  In development |  In development
-Integrations: Azure Sentinel |  |  In development
-Integrations: Microsoft Cloud App Security |  On engineering backlog |  On engineering backlog
-Integrations: Microsoft Compliance Center |  On engineering backlog |  On engineering backlog
-Integrations: Microsoft Defender for Identity |  On engineering backlog |  On engineering backlog
-Integrations: Microsoft Defender for Office 365 |  On engineering backlog |  On engineering backlog
-Integrations: Microsoft Endpoint DLP |  On engineering backlog |  On engineering backlog
-Integrations: Microsoft Intune |  |  In development
-Integrations: Microsoft Power Automate & Azure Logic Apps |  |  In development
-Integrations: Skype for Business / Teams |  |  In development
-Microsoft Threat Experts |  On engineering backlog |  On engineering backlog
+Feature name | GCC | GCC High | DoD (PREVIEW)
+:---|:---|:---|:---
+Automated investigation and remediation: Live response |  |  Rolling out |  Rolling out
+Automated investigation and remediation: Response to Office 365 alerts |  On engineering backlog |  On engineering backlog |  On engineering backlog
+Email notifications |  Rolling out |  Rolling out |  Rolling out
+Evaluation lab |  |  Rolling out |  Rolling out
+Management and APIs: Device health and compliance report |  |  Rolling out |  Rolling out
+Management and APIs: Integration with third-party products |  In development |  In development |  In development
+Management and APIs: Streaming API |  |  In development |  In development
+Management and APIs: Threat protection report |  |  Rolling out |  Rolling out
+Threat & vulnerability management |  |  Rolling out |  Rolling out
+Threat analytics |  |  Rolling out |  Rolling out
+Web content filtering |  In development |  In development |  In development
+Integrations: Azure Sentinel |  |  In development |  In development
+Integrations: Microsoft Cloud App Security |  On engineering backlog |  On engineering backlog |  On engineering backlog
+Integrations: Microsoft Compliance Center |  On engineering backlog |  On engineering backlog |  On engineering backlog
+Integrations: Microsoft Defender for Identity |  On engineering backlog |  On engineering backlog |  On engineering backlog
+Integrations: Microsoft Defender for Office 365 |  On engineering backlog |  On engineering backlog |  On engineering backlog
+Integrations: Microsoft Endpoint DLP |  On engineering backlog |  On engineering backlog |  On engineering backlog
+Integrations: Microsoft Intune |  |  In development |  In development
+Integrations: Microsoft Power Automate & Azure Logic Apps |  |  In development |  In development
+Integrations: Skype for Business / Teams |  |  Rolling out |  Rolling out
+Microsoft Threat Experts |  On engineering backlog |  On engineering backlog |  On engineering backlog
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing500.png b/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing500.png
new file mode 100644
index 0000000000..6591814422
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing500.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-reason400.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-reason400.png
new file mode 100644
index 0000000000..fd74c7c487
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-reason400.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine400.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine400.png
new file mode 100644
index 0000000000..9bdf843bfc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine400.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file400.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file400.png
new file mode 100644
index 0000000000..5505691561
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file400.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mcafee-mde-migration.png b/windows/security/threat-protection/microsoft-defender-atp/images/mcafee-mde-migration.png
new file mode 100644
index 0000000000..01fb4c8c22
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mcafee-mde-migration.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/nonms-mde-migration.png b/windows/security/threat-protection/microsoft-defender-atp/images/nonms-mde-migration.png
new file mode 100644
index 0000000000..b57fb891aa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/nonms-mde-migration.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/symantec-mde-migration.png b/windows/security/threat-protection/microsoft-defender-atp/images/symantec-mde-migration.png
new file mode 100644
index 0000000000..5345928db9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/symantec-mde-migration.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
index 046ec05444..46594777a2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@@ -41,6 +41,7 @@ This article describes how to deploy Microsoft Defender for Endpoint for Linux m
- [Application installation](#application-installation)
- [Download the onboarding package](#download-the-onboarding-package)
- [Client configuration](#client-configuration)
+ - [Installer script](#installer-script)
- [Log installation issues](#log-installation-issues)
- [Operating system upgrades](#operating-system-upgrades)
- [Uninstallation](#uninstallation)
@@ -343,6 +344,31 @@ Download the onboarding package from Microsoft Defender Security Center:
mdatp threat list
```
+## Installer script
+
+Alternatively, you can use an automated [installer bash script](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh) provided in our [public GitHub repository](https://github.com/microsoft/mdatp-xplat/).
+The script identifies the distribution and version, and sets up the device to pull the latest package and install it.
+You can also onboard with a provided script.
+
+```bash
+❯ ./mde_installer.sh --help
+usage: basename ./mde_installer.sh [OPTIONS]
+Options:
+-c|--channel specify the channel from which you want to install. Default: insiders-fast
+-i|--install install the product
+-r|--remove remove the product
+-u|--upgrade upgrade the existing product
+-o|--onboard onboard/offboard the product with
+> Filtering will only find portal set tags.
You can also delete tags from this view.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
index 9f65ae6e85..fda35b3de6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
@@ -20,29 +20,30 @@ ms.collection:
- m365solution-overview
ms.topic: conceptual
ms.custom: migrationguides
-ms.date: 09/22/2020
+ms.date: 02/11/2021
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
---
# Migrate from McAfee to Microsoft Defender for Endpoint
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide.
-If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide to plan your migration.
+:::image type="content" source="images/mcafee-mde-migration.png" alt-text="Overview of migrating from McAfee to Defender for Endpoint":::
+
+When you make the switch from McAfee to Defender for Endpoint, you begin with your McAfee solution in active mode, configure Defender for Endpoint in passive mode, onboard to Defender for Endpoint, and then set Defender for Endpoint to active mode and remove McAfee.
## The migration process
-When you switch from McAfee to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
+When you switch from McAfee to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases: Prepare, Setup, and Onboard.
-
|Phase |Description |
|--|--|
-|[Prepare for your migration](mcafee-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](mcafee-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
-|[Set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md) |During [the **Setup** phase](mcafee-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and McAfee. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
-|[Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](mcafee-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall McAfee and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. |
+|[Prepare for your migration](mcafee-to-microsoft-defender-prepare.md) |During the [**Prepare**](mcafee-to-microsoft-defender-prepare.md) phase, you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
+|[Set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md) |During the [**Setup**](mcafee-to-microsoft-defender-setup.md) phase, you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and McAfee. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
+|[Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md) |During the [**Onboard**](mcafee-to-microsoft-defender-onboard.md) phase, you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall McAfee and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. |
## What's included in Microsoft Defender for Endpoint?
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md
index f703c93219..053a70a737 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md
@@ -20,14 +20,12 @@ ms.collection:
- m365solution-scenario
ms.custom: migrationguides
ms.topic: article
-ms.date: 09/24/2020
+ms.date: 02/11/2021
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
---
# Migrate from McAfee - Phase 3: Onboard to Microsoft Defender for Endpoint
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
|[](mcafee-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |[](mcafee-to-microsoft-defender-setup.md)
[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |
Phase 3: Onboard |
|--|--|--|
|| |*You are here!* |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md
index 8108d9e245..a11af93ccf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md
@@ -20,15 +20,12 @@ ms.collection:
- m365solution-scenario
ms.topic: article
ms.custom: migrationguides
-ms.date: 09/22/2020
+ms.date: 02/11/2021
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
---
# Migrate from McAfee - Phase 1: Prepare for your migration
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
|
Phase 1: Prepare |[](mcafee-to-microsoft-defender-setup.md)
[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |[](mcafee-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
|--|--|--|
|*You are here!*| | |
@@ -110,10 +107,10 @@ To enable communication between your devices and Microsoft Defender for Endpoint
|Capabilities | Operating System | Resources |
|--|--|--|
-|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
-|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
+|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
+|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
-|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
+|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender for Endpoint for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
index d98440f9bd..78a654099e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
@@ -20,15 +20,12 @@ ms.collection:
- m365solution-scenario
ms.topic: article
ms.custom: migrationguides
-ms.date: 09/22/2020
+ms.date: 02/11/2021
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
---
# Migrate from McAfee - Phase 2: Set up Microsoft Defender for Endpoint
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
|[](mcafee-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |
Phase 2: Set up |[](mcafee-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
|--|--|--|
||*You are here!* | |
@@ -168,8 +165,8 @@ The specific exclusions to configure depend on which version of Windows your end
|OS |Exclusions |
|--|--|
-|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
|
-|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
+|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
|
+|- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
## Add McAfee to the exclusion list for Microsoft Defender Antivirus
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
index 34f6e68ce9..08da2fb3c0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
@@ -37,9 +37,9 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
## Enable raw data streaming:
-1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) with a Global Admin user.
+1. Log in to the [Microsoft Defender Security Center](https://securitycenter.windows.com) as a ***Global Administrator*** or ***Security Administrator***.
-2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
+2. Go to the [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
3. Click on **Add data export settings**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
index 436460fd43..016fe59de6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
@@ -37,7 +37,7 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
## Enable raw data streaming:
-1. Log in to [Microsoft Defender for Endpoint portal](https://securitycenter.windows.com) with Global Admin user.
+1. Log in to [Microsoft Defender for Endpoint portal](https://securitycenter.windows.com) as a ***Global Administrator*** or ***Security Administrator***.
2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index dff9f2f7e1..315047b17b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -1,5 +1,5 @@
---
-title: Take response actions on a file in Microsoft Defender ATP
+title: Take response actions on a file in Microsoft Defender for Endpoint
description: Take response actions on file-related alerts by stopping and quarantining a file or blocking a file and checking activity details.
keywords: respond, stop and quarantine, block file, deep analysis
search.product: eADQiWindows 10XVcnh
@@ -56,7 +56,6 @@ Some actions require certain permissions. The following table describes what act
For more information on roles, see [Create and manage roles for role-based access control](user-roles.md).
-
## Stop and quarantine files in your network
You can contain an attack in your organization by stopping the malicious process and quarantining the file where it was observed.
@@ -68,7 +67,7 @@ You can contain an attack in your organization by stopping the malicious process
> - The file does not belong to trusted third-party publishers or not signed by Microsoft
> - Microsoft Defender Antivirus must at least be running on Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
-The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistent data, such as any registry keys.
+The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistent data such as registry keys.
This action takes effect on devices with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
@@ -82,7 +81,6 @@ This action takes effect on devices with Windows 10, version 1703 or later, wher
- **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
- **Search box** - select **File** from the drop–down menu and enter the file name
-
> [!NOTE]
> The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file).
@@ -90,7 +88,7 @@ This action takes effect on devices with Windows 10, version 1703 or later, wher
-3. Specify a reason, then click **Confirm**.
+3. Specify a reason, then select **Confirm**.
@@ -112,7 +110,7 @@ When the file is being removed from a device, the following notification is show
In the device timeline, a new event is added for each device where a file was stopped and quarantined.
-For files that widely used throughout an organization, a warning is shown before an action is implemented, to validate that the operation is intended.
+A warning is shown before the action is implemented for files widely used throughout an organization. It's to validate that the operation is intended.
## Restore file from quarantine
@@ -138,9 +136,23 @@ You can roll back and remove a file from quarantine if you’ve determined that
> [!IMPORTANT]
> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired.
+## Download or collect file
+
+Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file. A flyout will appear where you can record a reason for downloading the file, and set a password.
+
+By default, you will not be able to download files that are in quarantine.
+
+
+
+### Collect files
+
+If a file is not already stored by Microsoft Defender for Endpoint, you can't download it. Instead, you'll see a **Collect file** button in the same location. If a file hasn't been seen in the organization in the past 30 days, **Collect file** will be disabled.
+> [!Important]
+> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired.
+
## Add indicator to block or allow a file
-You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization.
+Prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization.
> [!IMPORTANT]
>
@@ -164,56 +176,43 @@ To start blocking files, you first need to [turn the **Block or allow** feature
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it.
-Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue.
+Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue.
See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files.
-To stop blocking a file, remove the indicator. You can do so via the **Edit Indicator** action on the file's profile page. This action will be visible in the same position that the **Add Indicator** action was, before you added the indicator.
+To stop blocking a file, remove the indicator. You can do so via the **Edit Indicator** action on the file's profile page. This action will be visible in the same position as the **Add Indicator** action, before you added the indicator.
You can also edit indicators from the **Settings** page, under **Rules** > **Indicators**. Indicators are listed in this area by their file's hash.
-## Download or collect file
-
-Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file.
-
-
-
-When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are downloading the file. You can also set a password to open the file.
-
-
-
-If a file is not already stored by Defender for Endpoint, you cannot download it. Instead, you will see a **Collect file** button in the same location. If a file has not been seen in the organization in the past 30 days, **Collect file** will be disabled.
-
## Consult a threat expert
-You can consult a Microsoft threat expert for more insights regarding a potentially compromised device or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised device, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard.
+Consult a Microsoft threat expert for more insights on a potentially compromised device, or already compromised devices. Microsoft Threat Experts are engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights on a potentially compromised device and help you understand complex threats and targeted attack notifications. They can also provide information about the alerts or a threat intelligence context that you see on your portal dashboard.
See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details.
## Check activity details in Action center
-The **Action center** provides information on actions that were taken on a device or file. You’ll be able to view the following details:
+The **Action center** provides information on actions that were taken on a device or file. You can view the following details:
- Investigation package collection
- Antivirus scan
- App restriction
- Device isolation
-All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed.
+All other related details are also shown, such as submission date/time, submitting user, and if the action succeeded or failed.
-
## Deep analysis
-Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
+Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Selecting a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
Deep analysis currently supports extensive analysis of portable executable (PE) files (including _.exe_ and _.dll_ files).
-Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to display the date and time of the latest results available, as well as a summary of the report itself.
+Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to display a summary and the date and time of the latest available results.
-The Deep analysis summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk. If nothing was found, these sections will simply display a brief message.
+The deep analysis summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk. If nothing was found, these sections will display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
@@ -227,22 +226,22 @@ Use the deep analysis feature to investigate the details of any file, usually du
> [!NOTE]
> Only files from Windows 10 can be automatically collected.
-You can also manually submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 device, and wait for **Submit for deep analysis** button to become available.
+You can also submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file wasn't observed on a Windows 10 device, and wait for **Submit for deep analysis** button to become available.
> [!NOTE]
> Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Defender for Endpoint.
-When the sample is collected, Defender for Endpoint runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications.
+When the sample is collected, Defender for Endpoint runs the file in a secure environment. It then creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications.
-#### Submit files for deep analysis
+### Submit files for deep analysis
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
- - Alerts - click the file links from the **Description** or **Details** in the Artifact timeline
- - **Devices list** - click the file links from the **Description** or **Details** in the **Device in organization** section
+ - Alerts - select the file links from the **Description** or **Details** in the Artifact timeline
+ - **Devices list** - select the file links from the **Description** or **Details** in the **Device in organization** section
- Search box - select **File** from the drop–down menu and enter the file name
-2. In the **Deep analysis** tab of the file view, click **Submit**.
+2. In the **Deep analysis** tab of the file view, select **Submit**.
@@ -254,9 +253,9 @@ A progress bar is displayed and provides information on the different stages of
> [!NOTE]
> Depending on device availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 device reporting at that time. You can re–submit files for deep analysis to get fresh data on the file.
-#### View deep analysis reports
+### View deep analysis reports
-View the deep analysis report that Defender for Endpoint provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
+View the provided deep analysis report to see more in-depth insights on the file you submitted. This feature is available in the file view context.
You can view the comprehensive report that provides details on the following sections:
@@ -268,19 +267,16 @@ The details provided can help you investigate if there are indications of a pote
1. Select the file you submitted for deep analysis.
2. Select the **Deep analysis** tab. If there are any previous reports, the report summary will appear in this tab.
- 
+ 
#### Troubleshoot deep analysis
-If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
+If you come across a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
-
-1. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
-
-1. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
-
-1. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value:
+2. Ensure the service has access to the file, that it still exists, and hasn't been corrupted or modified.
+3. Wait a short while and try to submit the file again. The queue may be full, or there was a temporary connection or communication error.
+4. If the sample collection policy isn't configured, then the default behavior is to allow sample collection. If it's configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value:
```powershell
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md
index 1780f55497..9e6acab8df 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md
@@ -19,14 +19,18 @@ ms.collection:
- m365solution-overview
ms.topic: conceptual
ms.custom: migrationguides
-ms.date: 09/24/2020
+ms.date: 02/11/2021
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
ms.technology: mde
---
# Make the switch from a non-Microsoft endpoint solution to Microsoft Defender for Endpoint
-If you are planning to switch from a non-Microsoft endpoint protection solution to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection), and you're looking for help, you're in the right place. Use this article as a guide to plan your migration.
+If you are planning to switch from a non-Microsoft endpoint protection solution to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Defender for Endpoint), you're in the right place. Use this article as a guide.
+
+:::image type="content" source="images/nonms-mde-migration.png" alt-text="Overview of migrating to Defender for Endpoint":::
+
+When you make the switch to Defender for Endpoint, you begin with your non-Microsoft solution in active mode, configure Defender for Endpoint in passive mode, onboard to Defender for Endpoint, and then set Defender for Endpoint to active mode and remove the non-Microsoft solution.
> [!TIP]
> - If you're currently using McAfee Endpoint Security (McAfee), see [Migrate from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md
index 2a3c2f472f..a035ccb910 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md
@@ -19,7 +19,7 @@ ms.collection:
- m365solution-migratetomdatp
ms.custom: migrationguides
ms.topic: article
-ms.date: 09/24/2020
+ms.date: 02/11/2021
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
---
@@ -40,11 +40,8 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
## Onboard devices to Microsoft Defender for Endpoint
1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
2. Choose **Settings** > **Device management** > **Onboarding**.
-
3. In the **Select operating system to start onboarding process** list, select an operating system.
-
4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
### Onboarding methods
@@ -63,7 +60,6 @@ Deployment methods vary, depending on which operating system is selected. Refer
To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test.
-
|Operating system |Guidance |
|---------|---------|
|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md
index a49d62bf03..f014d6735b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md
@@ -19,7 +19,7 @@ ms.collection:
- m365solution-migratetomdatp
ms.topic: article
ms.custom: migrationguides
-ms.date: 09/22/2020
+ms.date: 02/11/2021
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
---
@@ -65,11 +65,8 @@ Need help updating your organization's devices? See the following resources:
Now that you've updated your organization's devices, the next step is to get Microsoft Defender for Endpoint, assign licenses, and make sure the service is provisioned.
1. Buy or try Microsoft Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp).
-
2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
-
3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
-
4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
@@ -84,14 +81,11 @@ The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka
Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control).
-
2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control).
-
If your organization requires a method other than Intune, choose one of the following options:
- [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)
- [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm)
- [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview)
-
3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)).
## Configure device proxy and internet connectivity settings
@@ -100,10 +94,10 @@ To enable communication between your devices and Microsoft Defender for Endpoint
|Capabilities | Operating System | Resources |
|--|--|--|
-|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
-|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
+|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
+|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
-|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
+|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender for Endpoint for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
index 6b6dd2a9cd..1c9d5914a9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
@@ -19,7 +19,7 @@ ms.collection:
- m365solution-migratetomdatp
ms.topic: article
ms.custom: migrationguides
-ms.date: 09/22/2020
+ms.date: 02/11/2021
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
---
@@ -55,17 +55,11 @@ This step of the migration process includes the following tasks:
The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
1. On your Windows Server device, open Registry Editor.
-
2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
-
3. In that folder, look for a DWORD entry called **DisableAntiSpyware**.
-
- If you do not see that entry, you're all set.
-
- If you do see **DisableAntiSpyware**, proceed to step 4.
-
4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
-
5. Set the value to `0`. (This sets the registry key's value to *false*.)
> [!TIP]
@@ -80,25 +74,19 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d
> - Windows Server 2016
1. As a local administrator on the endpoint or device, open Windows PowerShell.
-
-2. Run the following PowerShell cmdlets:
-
+2. Run the following PowerShell cmdlets:
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
-
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
-
> [!NOTE]
> When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
> Example:
> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
-
3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
-
`Get-Service -Name windefend`
> [!TIP]
-> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
+> Need help? See [Microsoft Defender Antivirus on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
### Set Microsoft Defender Antivirus to passive mode on Windows Server
@@ -106,11 +94,8 @@ Because your organization is still using your existing endpoint protection solut
1. Open Registry Editor, and then navigate to
`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
-
2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
-
- Set the DWORD's value to **1**.
-
- Under **Base**, select **Hexadecimal**.
> [!NOTE]
@@ -127,9 +112,9 @@ To enable Microsoft Defender Antivirus, we recommend using Intune. However, you
|Method |What to do |
|---------|---------|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure.
If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
-|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.
**TIP**: For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
+|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
### Confirm that Microsoft Defender Antivirus is in passive mode
@@ -137,8 +122,8 @@ Microsoft Defender Antivirus can run alongside your existing endpoint protection
|Method |What to do |
|---------|---------|
-|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
+|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
> [!NOTE]
> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
@@ -164,8 +149,8 @@ The specific exclusions to configure depend on which version of Windows your end
|OS |Exclusions |
|--|--|
-|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
|
-|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
+|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
|
+|- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
## Add your existing solution to the exclusion list for Microsoft Defender Antivirus
@@ -181,33 +166,27 @@ You can choose from several methods to add your exclusions to Microsoft Defender
|Method | What to do|
|--|--|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. |
-|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
-|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. |
-|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
-|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
+|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. |
+|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
+|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. |
+|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
+|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
## Add your existing solution to the exclusion list for Microsoft Defender for Endpoint
To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
-
3. On the **File hashes** tab, choose **Add indicator**.
-
-3. On the **Indicator** tab, specify the following settings:
+4. On the **Indicator** tab, specify the following settings:
- File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
- Under **Expires on (UTC)**, choose **Never**.
-
-4. On the **Action** tab, specify the following settings:
+5. On the **Action** tab, specify the following settings:
- **Response Action**: **Allow**
- Title and description
-
-5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
-
-6. On the **Summary** tab, review the settings, and then click **Save**.
+6. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
+7. On the **Summary** tab, review the settings, and then click **Save**.
### Find a file hash using CMPivot
@@ -216,15 +195,10 @@ CMPivot is an in-console utility for Configuration Manager. CMPivot provides acc
To use CMPivot to get your file hash, follow these steps:
1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
-
2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
-
3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).
-
4. Select the **Query** tab.
-
5. In the **Device Collection** list, and choose **All Systems (default)**.
-
6. In the query box, type the following query:
```kusto
@@ -239,16 +213,14 @@ To use CMPivot to get your file hash, follow these steps:
| Collection type | What to do |
|--|--|
-|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. |
-|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
-|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
+|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. |
+|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
+|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
## Configure antimalware policies and real-time protection
Using Configuration Manager and your device collection(s), configure your antimalware policies.
-
- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).
-
- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
> [!TIP]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
index 7f20e3e024..9c5fa1bbb5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
@@ -19,17 +19,17 @@ ms.collection:
- m365solution-symantecmigrate
- m365solution-overview
ms.topic: conceptual
-ms.date: 09/22/2020
+ms.date: 02/11/2021
ms.custom: migrationguides
ms.reviewer: depicker, yongrhee, chriggs
---
# Migrate from Symantec to Microsoft Defender for Endpoint
+If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide.
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+:::image type="content" source="images/symantec-mde-migration.png" alt-text="Overview of migrating from Symantec to Defender for Endpoint":::
-
-If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection), you're in the right place. Use this article as a guide to plan your migration.
+When you make the switch from Symantec to Defender for Endpoint, you begin with your Symantec solution in active mode, configure Defender for Endpoint in passive mode, onboard to Defender for Endpoint, and then set Defender for Endpoint to active mode and remove Symantec.
## The migration process
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
index 9ba924e18a..0a2b297d72 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
@@ -18,16 +18,13 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
ms.topic: article
-ms.date: 09/24/2020
+ms.date: 02/11/2021
ms.custom: migrationguides
ms.reviewer: depicker, yongrhee, chriggs
---
# Migrate from Symantec - Phase 3: Onboard to Microsoft Defender for Endpoint
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
|[](symantec-to-microsoft-defender-atp-prepare.md)
[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |[](symantec-to-microsoft-defender-atp-setup.md)
[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |
Phase 3: Onboard |
|--|--|--|
|| |*You are here!* |
@@ -43,11 +40,8 @@ ms.reviewer: depicker, yongrhee, chriggs
## Onboard devices to Microsoft Defender for Endpoint
1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
2. Choose **Settings** > **Device management** > **Onboarding**.
-
3. In the **Select operating system to start onboarding process** list, select an operating system.
-
4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
### Onboarding methods
@@ -66,7 +60,6 @@ Deployment methods vary, depending on which operating system is selected. Refer
To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test.
-
|Operating system |Guidance |
|---------|---------|
|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
@@ -78,12 +71,11 @@ To verify that your onboarded devices are properly connected to Microsoft Defend
Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall Symantec.
1. [Disable Tamper Protection](https://knowledge.broadcom.com/external/article?legacyId=tech192023) in Symantec.
-
-2. Delete the uninstall password for Symantec:
+2. Delete the uninstall password for Symantec:
1. On your Windows devices, open Registry Editor as an administrator.
2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC`.
- 3. Look for an entry named **SmcInstData**. Right-click the item, and then choose **Delete**.
-
+ 3. Look for an entry named **SmcInstData**.
+ 4. Right-click the item, and then choose **Delete**.
3. Remove Symantec from your devices. If you need help with this, see Broadcom's documentation. Here are a few Broadcom resources:
- [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html)
- Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040)
@@ -102,7 +94,5 @@ To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([http
## Next steps
**Congratulations**! You have completed your [migration from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
-
- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-
- [Manage Microsoft Defender for Endpoint, post migration](manage-atp-post-migration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
index 4d58af47fd..2b72584931 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
@@ -18,16 +18,13 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
ms.topic: article
-ms.date: 09/22/2020
+ms.date: 02/11/2021
ms.custom: migrationguides
ms.reviewer: depicker, yongrhee, chriggs
---
# Migrate from Symantec - Phase 1: Prepare for your migration
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
|
Phase 1: Prepare |[](symantec-to-microsoft-defender-atp-setup.md)
[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |[](symantec-to-microsoft-defender-atp-onboard.md)
[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
|--|--|--|
|*You are here!*| | |
@@ -45,11 +42,8 @@ This migration phase includes the following steps:
To get started, you must have Microsoft Defender for Endpoint, with licenses assigned and provisioned.
1. Buy or try Microsoft Defender for Endpoint today. [Visit Microsoft Defender for Endpoint to start a free trial or request a quote](https://aka.ms/mdatp).
-
2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
-
3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
-
4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
@@ -64,14 +58,11 @@ The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka
Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control).
-
-2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control).
-
- If your organization requires a method other than Intune, choose one of the following options:
+2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control).
+ If your organization requires a method other than Intune, choose one of the following options:
- [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)
- [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm)
- [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview)
-
3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)).
## Configure device proxy and internet connectivity settings
@@ -80,15 +71,14 @@ To enable communication between your devices and Microsoft Defender for Endpoint
|Capabilities | Operating System | Resources |
|:----|:----|:---|
-|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
-|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
+|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information/)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
+|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
-|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
+|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information/)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft -Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender for Endpoint for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) |
## Next step
**Congratulations**! You have completed the **Prepare** phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
-
- [Proceed to set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
index da69f9acd3..9224748cb5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
@@ -18,16 +18,13 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
ms.topic: article
-ms.date: 11/30/2020
+ms.date: 02/11/2021
ms.custom: migrationguides
ms.reviewer: depicker, yongrhee, chriggs
---
# Migrate from Symantec - Phase 2: Set up Microsoft Defender for Endpoint
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
|[](symantec-to-microsoft-defender-atp-prepare.md)
[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |
Phase 2: Set up |[](symantec-to-microsoft-defender-atp-onboard.md)
[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
|--|--|--|
||*You are here!* | |
@@ -63,9 +60,7 @@ Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll
> Microsoft Defender Antivirus is built into Windows 10, but it might be disabled. In this case, proceed to [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus).
1. As a local administrator on the endpoint or device, open Windows PowerShell.
-
2. Run the following PowerShell cmdlets:
-
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
@@ -74,7 +69,6 @@ Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll
> Example:
> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
-
3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
`Get-Service -Name windefend`
@@ -87,7 +81,6 @@ Because your organization is still using Symantec, you must set Microsoft Defend
1. Open Registry Editor, and then navigate to
`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
-
2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
- Set the DWORD's value to **1**.
- Under **Base**, select **Hexadecimal**.
@@ -106,9 +99,9 @@ To enable Microsoft Defender Antivirus, we recommend using Intune. However, you
|Method |What to do |
|---------|---------|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
-|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
+|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
### Verify that Microsoft Defender Antivirus is in passive mode
@@ -116,8 +109,8 @@ Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Def
|Method |What to do |
|---------|---------|
-|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
+|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
> [!NOTE]
> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
@@ -138,8 +131,8 @@ This step of the setup process involves adding Microsoft Defender for Endpoint t
|OS |Exclusions |
|--|--|
-|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
|
-|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
+|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
|
+|- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
## Add Symantec to the exclusion list for Microsoft Defender Antivirus
@@ -158,35 +151,27 @@ You can choose from several methods to add your exclusions to Microsoft Defender
|Method | What to do|
|--|--|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. |
-|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
-|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. |
-|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
-|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
+|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. |
+|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
+|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. |
+|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
+|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
## Add Symantec to the exclusion list for Microsoft Defender for Endpoint
To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
-
3. On the **File hashes** tab, choose **Add indicator**.
-
-3. On the **Indicator** tab, specify the following settings:
-
+4. On the **Indicator** tab, specify the following settings:
- File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
- Under **Expires on (UTC)**, choose **Never**.
-
-4. On the **Action** tab, specify the following settings:
-
+5. On the **Action** tab, specify the following settings:
- **Response Action**: **Allow**
- Title and description
-
-5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
-
-6. On the **Summary** tab, review the settings, and then click **Save**.
+6. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
+7. On the **Summary** tab, review the settings, and then click **Save**.
### Find a file hash using CMPivot
@@ -195,17 +180,11 @@ CMPivot is an in-console utility for Configuration Manager. CMPivot provides acc
To use CMPivot to get your file hash, follow these steps:
1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
-
2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
-
3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).
-
4. Select the **Query** tab.
-
5. In the **Device Collection** list, and choose **All Systems (default)**.
-
6. In the query box, type the following query:
-
```kusto
File(c:\\windows\\notepad.exe)
| project Hash
@@ -219,16 +198,15 @@ To use CMPivot to get your file hash, follow these steps:
| Collection type | What to do |
|--|--|
-|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. |
-|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
-|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
+|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. |
+|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
+|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
## Configure antimalware policies and real-time protection
Using Configuration Manager and your device collection(s), configure your antimalware policies.
- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).
-
- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
> [!TIP]
@@ -237,5 +215,4 @@ Using Configuration Manager and your device collection(s), configure your antima
## Next step
**Congratulations**! You have completed the Setup phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
-
- [Proceed to Phase 3: Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
index d1126a244c..1f4b3d7e89 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
@@ -101,6 +101,14 @@ It's possible to override the blocked category in web content filtering to allow
2. Enter the domain of the site
3. Set the policy action to **Allow**.
+### Reporting inaccuracies
+
+If you encounter a domain that has been incorrectly categorized, you can report inaccuracies directly to us from the Web Content Filtering reports page. This feature is available only in the new Microsoft 365 security center (security.microsoft.com).
+
+To report an inaccuracy, navigate to **Reports > Web protection > Web Content Filtering Details > Domains**. On the domains tab of our Web Content Filtering reports, you will see an ellipsis beside each of the domains. Hover over this ellipsis and select **Report Inaccuracy**.
+
+A panel will open where you can select the priority and add additional details such as the suggested category for re-categorization. Once you complete the form, select **Submit**. Our team will review the request within one business day. For immediate unblocking, create a [custom allow indicator](indicator-ip-domain.md).
+
## Web content filtering cards and details
Select **Reports > Web protection** to view cards with information about web content filtering and web threat protection. The following cards provide summary information about web content filtering.
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 509869f9e5..18151f137c 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -46,7 +46,7 @@ The Security Compliance Toolkit consists of:
- Microsoft 365 Apps for enterprise (Sept 2019)
- Microsoft Edge security baseline
- - Version 85
+ - Version 88
- Windows Update security baseline
- Windows 10 20H2 and below (October 2020 Update)
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index db7887046c..142ab09ad4 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -41,7 +41,7 @@ Here's an approximate scaling guide for WEF events:
| 5,000 - 50,000 | SEM |
| 50,000+ | Hadoop/HDInsight/Data Lake |
-Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This is because WEF is a passive system with regards to the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling additional event channels and expanding the size of event log files has not resulted in noticeable performance differences.
+Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This is because WEF is a passive system regarding the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling additional event channels and expanding the size of event log files has not resulted in noticeable performance differences.
For the minimum recommended audit policy and registry system ACL settings, see [Appendix A - Minimum recommended minimum audit policy](#bkmk-appendixa) and [Appendix B - Recommended minimum registry system ACL policy](#bkmk-appendixb).
@@ -147,7 +147,7 @@ Yes. If you desire a High-Availability environment, simply configure multiple WE
### What are the WEC server’s limitations?
-There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on commodity hardware is “10k x 10k” – meaning, no more than 10,000 concurrently active WEF Clients per WEC server and no more than 10,000 events/second average event volume.
+There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on commodity hardware is planning for a total of 3,000 events per second on average for all configured subscriptions.
- **Disk I/O**. The WEC server does not process or validate the received event, but rather buffers the received event and then logs it to a local event log file (EVTX file). The speed of logging to the EVTX file is limited by the disk write speed. Isolating the EVTX file to its own array or using high speed disks can increase the number of events per second that a single WEC server can receive.
- **Network Connections**. While a WEF source does not maintain a permanent, persistent connection to the WEC server, it does not immediately disconnect after sending its events. This means that the number of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC server.
@@ -661,4 +661,3 @@ You can get more info with the following links:
- [Windows Event Collector](https://msdn.microsoft.com/library/windows/desktop/bb427443.aspx)
- [4625(F): An account failed to log on](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625)
-
diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
index e2a1224d61..d863d37050 100644
--- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -26,9 +26,9 @@ ms.technology: mde
To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device.
-- [To create a WMI filter that queries for a specified version of Windows](#to-create-a-wmi-filter-that-queries-for-a-specified-version-of-windows)
-
-- [To link a WMI filter to a GPO](#to-link-a-wmi-filter-to-a-gpo)
+- [Create WMI Filters for the GPO](#create-wmi-filters-for-the-gpo)
+ - [To create a WMI filter that queries for a specified version of Windows](#to-create-a-wmi-filter-that-queries-for-a-specified-version-of-windows)
+ - [To link a WMI filter to a GPO](#to-link-a-wmi-filter-to-a-gpo)
**Administrative credentials**
@@ -80,6 +80,12 @@ First, create the WMI filter and configure it to look for a specified version (o
select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"
```
+ Specific versions of Windows 10 can be targeted by including the *major build version* in the query. The following query returns **true** for all devices running Windows 10 20H2 (which has a *major build version* of `19042`), and returns **false** for any server operating system or any other client operating system. Additional information about Windows 10 build versions can be found at [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information).
+
+ ```syntax
+ select * from Win32_OperatingSystem where Version like "10.0.19042" and ProductType="1"
+ ```
+
The following query returns **true** for any device running Windows Server 2016, except domain controllers:
``` syntax
diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json
index d4d30ecdba..ad59eb692c 100644
--- a/windows/threat-protection/docfx.json
+++ b/windows/threat-protection/docfx.json
@@ -41,7 +41,16 @@
"depot_name": "MSDN.win-threat-protection",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/update/docfx.json b/windows/update/docfx.json
index c5ef1b98ba..769331235a 100644
--- a/windows/update/docfx.json
+++ b/windows/update/docfx.json
@@ -35,7 +35,16 @@
"depot_name": "MSDN.windows-update",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md
deleted file mode 100644
index 9be4f860e1..0000000000
--- a/windows/whats-new/TOC.md
+++ /dev/null
@@ -1,12 +0,0 @@
-# [What's new in Windows 10](index.md)
-## [What's new in Windows 10, version 20H2](whats-new-windows-10-version-20H2.md)
-## [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md)
-## [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md)
-## [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md)
-## [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md)
-## [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md)
-## Previous versions
-### [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md)
-### [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md)
-### [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md)
-### [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md)
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
new file mode 100644
index 0000000000..a0d1667af2
--- /dev/null
+++ b/windows/whats-new/TOC.yml
@@ -0,0 +1,24 @@
+- name: What's new in Windows 10
+ href: index.yml
+- name: What's new in Windows 10, version 20H2
+ href: whats-new-windows-10-version-20H2.md
+- name: What's new in Windows 10, version 2004
+ href: whats-new-windows-10-version-2004.md
+- name: What's new in Windows 10, version 1909
+ href: whats-new-windows-10-version-1909.md
+- name: What's new in Windows 10, version 1903
+ href: whats-new-windows-10-version-1903.md
+- name: What's new in Windows 10, version 1809
+ href: whats-new-windows-10-version-1809.md
+- name: What's new in Windows 10, version 1803
+ href: whats-new-windows-10-version-1803.md
+- name: Previous versions
+ items:
+ - name: What's new in Windows 10, version 1709
+ href: whats-new-windows-10-version-1709.md
+ - name: What's new in Windows 10, version 1703
+ href: whats-new-windows-10-version-1703.md
+ - name: What's new in Windows 10, version 1607
+ href: whats-new-windows-10-version-1607.md
+ - name: What's new in Windows 10, versions 1507 and 1511
+ href: whats-new-windows-10-version-1507-and-1511.md
\ No newline at end of file
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index 880041f98f..04908deceb 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -3,7 +3,8 @@
"content": [
{
"files": [
- "**/*.md"
+ "**/*.md",
+ "**/*.yml"
],
"exclude": [
"**/obj/**",
@@ -46,6 +47,15 @@
}
},
"titleSuffix": "What's new in Windows",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
"searchScope": ["Windows 10"]
},
"fileMetadata": {},
diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md
deleted file mode 100644
index 559ab66233..0000000000
--- a/windows/whats-new/index.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: What's new in Windows 10 (Windows 10)
-description: Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more.
-ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44
-keywords: ["What's new in Windows 10", "Windows 10"]
-ms.prod: w10
-audience: itpro
-author: greg-lindsay
-ms.author: greglin
-manager: laurawi
-ms.localizationpriority: high
-ms.topic: article
----
-
-# What's new in Windows 10
-
-Windows 10 provides IT professionals with advanced protection against modern security threats and comprehensive management and control over devices and apps, as well as flexible deployment, update, and support options. Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more.
-
-## In this section
-
-- [What's new in Windows 10, version 20H2](whats-new-windows-10-version-20H2.md)
-- [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md)
-- [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md)
-- [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md)
-- [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md)
-- [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md)
-
-
-## Learn more
-
-- [Windows 10 release information](https://docs.microsoft.com/windows/release-information/)
-- [Windows 10 release health dashboard](https://docs.microsoft.com/windows/release-information/status-windows-10-2004)
-- [Windows 10 update history](https://support.microsoft.com/help/4555932/windows-10-update-history)
-- [What’s new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new)
-- [Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features)
-- [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features)
-- [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkId=690485)
-
-## See also
-
-[Windows 10 Enterprise LTSC](ltsc/index.md)
-[Edit an existing topic using the Edit link](contribute-to-a-topic.md)
-
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
new file mode 100644
index 0000000000..20d56ff5c8
--- /dev/null
+++ b/windows/whats-new/index.yml
@@ -0,0 +1,68 @@
+### YamlMime:Landing
+
+title: What's new in Windows 10 # < 60 chars
+summary: Find out about new features and capabilities in the latest release of Windows 10. # < 160 chars
+
+metadata:
+ title: What's new in Windows 10 # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Find out about new features and capabilities in the latest release of Windows 10. # Required; article description that is displayed in search results. < 160 chars.
+ services: windows-10
+ ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
+ ms.subservice: subservice
+ ms.topic: landing-page # Required
+ ms.collection: windows-10
+ author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
+ ms.author: greglin #Required; microsoft alias of author; optional team alias.
+ ms.date: 02/09/2021 #Required; mm/dd/yyyy format.
+ localization_priority: medium
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: What's new in Windows 10
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: What's new in Windows 10, version 20H2
+ url: whats-new-windows-10-version-20H2.md
+ - text: What's new in Windows 10, version 2004
+ url: whats-new-windows-10-version-2004.md
+ - text: What's new in Windows 10, version 1909
+ url: whats-new-windows-10-version-1909.md
+ - text: What's new in Windows 10, version 1903
+ url: whats-new-windows-10-version-1903.md
+ - text: What's new in Windows 10, version 1809
+ url: whats-new-windows-10-version-1809.md
+ - text: What's new in Windows 10, version 1803
+ url: whats-new-windows-10-version-1803.md
+
+ # Card (optional)
+ - title: Learn more
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Windows 10 release information
+ url: https://docs.microsoft.com/en-us/windows/release-health/release-information
+ - text: Windows 10 release health dashboard
+ url: https://docs.microsoft.com/windows/release-information/
+ - text: Windows 10 update history
+ url: https://support.microsoft.com/topic/windows-10-update-history-7dd3071a-3906-fa2c-c342-f7f86728a6e3
+ - text: Windows 10 features we’re no longer developing
+ url: https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features
+ - text: Features and functionality removed in Windows 10
+ url: https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features
+ - text: Compare Windows 10 Editions
+ url: https://go.microsoft.com/fwlink/p/?LinkId=690485
+
+ # Card (optional)
+ - title: See also
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Windows 10 Enterprise LTSC
+ url: ltsc/index.md
+ - text: Edit an existing topic using the Edit link
+ url: contribute-to-a-topic.md
\ No newline at end of file
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index 09f32c39f4..61f137f85b 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -49,4 +49,4 @@ For detailed information about Windows 10 servicing, see [Overview of Windows as
## See Also
[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
-[Windows 10 - Release information](https://docs.microsoft.com/windows/windows-10/release-information): Windows 10 current versions by servicing option.
+[Windows 10 - Release information](https://docs.microsoft.com/windows/release-health/release-information): Windows 10 current versions by servicing option.
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 2346ec23c7..4aec0eab76 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -18,7 +18,7 @@ ms.topic: article
Below is a list of some of what's new in Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update).
-For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](index.md). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update](https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/).
+For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update](https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/).
>[!NOTE]
>Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update).
@@ -186,7 +186,7 @@ You can also now collect your audit event logs by using the Reporting configurat
The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
### Windows Insider for Business
@@ -252,13 +252,13 @@ For more info, see [Implement server-side support for mobile application managem
In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
### Application Virtualization for Windows (App-V)
-Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
+Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart.
For more info, see the following topics:
- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm)
- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing)
- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating)
-- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages)
+- [Automatically clean up unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages)
### Windows diagnostic data
@@ -294,7 +294,7 @@ Windows 10 Mobile, version 1703 also includes the following enhancements:
- OTC update tool
- Continuum display management
- Individually turn off the monitor or phone screen when not in use
- - Indiviudally adjust screen time-out settings
+ - individually adjust screen time-out settings
- Continuum docking solutions
- Set Ethernet port properties
- Set proxy properties for the Ethernet port