diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml index 7ee2caf174..cb590ce308 100644 --- a/browsers/edge/group-policies/index.yml +++ b/browsers/edge/group-policies/index.yml @@ -2,19 +2,19 @@ documentType: LandingData -title: Microsoft Edge group policies +title: Microsoft Edge Legacy group policies metadata: document_id: - title: Microsoft Edge group policies + title: Microsoft Edge Legacy group policies - description: Learn how to configure group policies in Microsoft Edge on Windows 10. + description: Learn how to configure group policies in Microsoft Edge Legacy on Windows 10. - text: Some of the features in Microsoft Edge gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. + text: Some of the features in Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. (To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) - keywords: Microsoft Edge, Windows 10, Windows 10 Mobile + keywords: Microsoft Edge Legacy, Windows 10, Windows 10 Mobile ms.localizationpriority: medium @@ -36,7 +36,7 @@ sections: - type: markdown - text: Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. + text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Microsoft Edge Legacy works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. - items: diff --git a/browsers/edge/index.yml b/browsers/edge/index.yml index 0afcf97eb7..61b851adf2 100644 --- a/browsers/edge/index.yml +++ b/browsers/edge/index.yml @@ -2,19 +2,19 @@ documentType: LandingData -title: Microsoft Edge Group Policy configuration options +title: Microsoft Edge Legacy Group Policy configuration options metadata: document_id: - title: Microsoft Edge Group Policy configuration options + title: Microsoft Edge Group Legacy Policy configuration options description: - text: Learn how to deploy and configure group policies in Microsoft Edge on Windows 10. Some of the features coming to Microsoft Edge gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. - - keywords: Microsoft Edge, Windows 10 + text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Learn how to deploy and configure group policies in Microsoft Edge Legacy on Windows 10. Some of the features coming to Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. + + keywords: Microsoft Edge Legacy, Windows 10 ms.localizationpriority: medium @@ -36,7 +36,7 @@ sections: - type: markdown - text: Learn about interoperability goals and enterprise guidance along with system requirements, language support and frequently asked questions. + text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Learn about interoperability goals and enterprise guidance along with system requirements, language support and frequently asked questions. - items: diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 6dcad5821b..d9ff00d3a8 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -32,6 +32,7 @@ ## [Create, share, and view photos and video](holographic-photos-and-videos.md) # User management and access management +## [Accounts on HoloLens](hololens-identity.md) ## [Share your HoloLens with multiple people](hololens-multiple-users.md) ## [Set up HoloLens as a kiosk (single application access)](hololens-kiosk.md) ## [Set up limited application access](hololens-kiosk.md) diff --git a/devices/hololens/hololens-identity.md b/devices/hololens/hololens-identity.md new file mode 100644 index 0000000000..3cc6cc4cfc --- /dev/null +++ b/devices/hololens/hololens-identity.md @@ -0,0 +1,111 @@ +--- +title: Managing user identity and login on HoloLens +description: Manage user identity, security, and login on HoloLens. +keywords: HoloLens, user, account, aad, adfs, microsoft account, msa, credentials, reference +ms.assetid: 728cfff2-81ce-4eb8-9aaa-0a3c3304660e +author: scooley +ms.author: scooley +ms.date: 1/6/2019 +ms.prod: hololens +ms.topic: article +ms.sitesec: library +ms.topic: article +ms.localizationpriority: medium +audience: ITPro +manager: jarrettr +appliesto: +- HoloLens (1st gen) +- HoloLens 2 +--- + +# User identity and signin + +> [!NOTE] +> This article is a technical reference for IT Pros and tech enthusiasts. If you're looking for HoloLens set up instructions, read "[Setting up your HoloLens (1st gen)](hololens1-start.md)" or "[Setting up your HoloLens 2](hololens2-start.md)". + +Like other Windows devices, HoloLens always operates under a user context. There is always a user identity. HoloLens treats identity in almost the same manner as other Windows 10 devices do. This article is a deep-dive reference for identity on HoloLens, and focuses on how HoloLens differs from other Windows 10 devices. + +HoloLens supports several kinds of user identities. You can use one or more user accounts to sign in. Here's an overview of the identity types and authentication options on HoloLens: + +| Identity type | Accounts per device | Authentication options | +| --- | --- | --- | +| [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/) | 32 (see details) | | +| [Microsoft Account (MSA)](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts) | 1 | | +| [Local account](https://docs.microsoft.com/windows/security/identity-protection/access-control/local-accounts) | 1 | Password | + +Cloud-connected accounts (AAD and MSA) offer more features because they can use Azure services. + +## Setting up users + +The most common way to set up a new user is during the HoloLens out-of-box experience (OOBE). During setup, HoloLens prompts for a user to sign in by using the account that they want to use on the device. This account can be a consumer Microsoft account or an enterprise account that has been configured in Azure. See Setting up your [HoloLens (1st gen)](hololens1-start.md) or [HoloLens 2](hololens2-start.md). + +Like Windows on other devices, signing in during setup creates a user profile on the device. The user profile stores apps and data. The same account also provides Single Sign-on for apps such as Edge or Skype by using the Windows Account Manager APIs. + +If you use an enterprise or organizational account to sign in to HoloLens, HoloLens enrolls in the organization's IT infrastructure. This enrollment allows your IT Admin to configure Mobile Device Management (MDM) to send group policies to your HoloLens. + +By default, as for other Windows 10 devices, you'll have to sign in again when HoloLens restarts or resumes from standby. You can use the Settings app to change this behavior, or the behavior can be controlled by group policy. + +### Linked accounts + +As in the Desktop version of Windows, you can link additional web account credentials to your HoloLens account. Such linking makes it easier to access resources across or within apps (such as the Store) or to combine access to personal and work resources. After you connect an account to the device, you can grant permission to use the device to apps so that you don't have to sign in to each app individually. + +Linking accounts does not separate the user data created on the device, such as images or downloads. + +### Setting up multi-user support (AAD only) + +> [!NOTE] +> **HoloLens (1st gen)** began supporting multiple AAD users in the [Windows 10 April 2018 Update](https://docs.microsoft.com/windows/mixed-reality/release-notes-april-2018) as part of [Windows Holographic for Business](hololens-upgrade-enterprise.md). + +HoloLens supports multiple users from the same AAD tenant. To use this feature, you must use an account that belongs to your organization to set up the device. Subsequently, other users from the same tenant can sign in to the device from the sign-in screen or by tapping the user tile on the Start panel. Only one user can be signed in at a time. When a user signs in, HoloLens signs out the previous user. + +All users can use the apps installed on the device. However, each user has their own app data and preferences. Removing an app from the device removes it for all users. + +## Removing users + +You can remove a user from the device by going to **Settings** > **Accounts** > **Other people**. This action also reclaims space by removing all of that user's app data from the device. + +## Using single sign-on within an app + +As an app developer, you can take advantage of linked identities on HoloLens by using the [Windows Account Manager APIs](https://docs.microsoft.com/uwp/api/Windows.Security.Authentication.Web.Core), just as you would on other Windows devices. Some code samples for these APIs are available [here](https://go.microsoft.com/fwlink/p/?LinkId=620621). + +Any account interrupts that might occur, such as requesting user consent for account information, two-factor authentication, and so forth, must be handled when the app requests an authentication token. + +If your app requires a specific account type that hasn't been linked previously, your app can ask the system to prompt the user to add one. This request triggers the account settings pane to launch as a modal child of your app. For 2D apps, this window renders directly over the center of your app. For Unity apps, this request briefly takes the user out of your holographic app to render the child window. For information about customizing the commands and actions on this pane, see [WebAccountCommand Class](https://docs.microsoft.com/uwp/api/Windows.UI.ApplicationSettings.WebAccountCommand). + +## Enterprise and other authentication + +If your app uses other types of authentication, such as NTLM, Basic, or Kerberos, you can use [Windows Credential UI](https://docs.microsoft.com/uwp/api/Windows.Security.Credentials.UI) to collect, process, and store the user's credentials. The user experience for collecting these credentials is very similar to other cloud-driven account interrupts, and appears as a child app on top of your 2D app or briefly suspends a Unity app to show the UI. + +## Deprecated APIs + +One way in which developing for HoloLens differs from developing for Desktop is that the [OnlineIDAuthenticator](https://docs.microsoft.com/uwp/api/Windows.Security.Authentication.OnlineId.OnlineIdAuthenticator) API is not fully supported. Although the API returns a token if the primary account is in good-standing, interrupts such as those described in this article do not display any UI for the user and fail to correctly authenticate the account. + +## Frequently asked questions + +### Is Windows Hello for Business supported on HoloLens? + +Windows Hello for Business (which supports using a PIN to sign in) is supported for HoloLens. To allow Windows Hello for Business PIN sign-in on HoloLens: + +1. The HoloLens device must be [managed by MDM](hololens-enroll-mdm.md). +1. You must enable Windows Hello for Business for the device. ([See instructions for Microsoft Intune.](https://docs.microsoft.com/intune/windows-hello)) +1. On HoloLens, the user can then use **Settings** > **Sign-in Options** > **Add PIN** to set up a PIN. + +> [!NOTE] +> Users who sign in by using a Microsoft account can also set up a PIN in **Settings** > **Sign-in Options** > **Add PIN**. This PIN is associated with [Windows Hello](https://support.microsoft.com/help/17215/windows-10-what-is-hello), rather than [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-overview). + +#### Does the type of account change the sign-in behavior? + +Yes, the behavior for the type of account affects the sign-in behavior. If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type: + +- **Microsoft account**: signs in automatically +- **Local account**: always asks for password, not configurable in **Settings** +- **Azure AD**: asks for password by default, and configurable by **Settings** to no longer ask for password. + +> [!NOTE] +> Inactivity timers are currently not supported, which means that the **AllowIdleReturnWithoutPassword** policy is only respected when the device goes into StandBy. + +## Additional resources + +Read much more about user identity protection and authentication on [the Windows 10 security and identity documentation](https://docs.microsoft.com/windows/security/identity-protection/). + +Learn more about setting up hybrid identity infrastructure thorough the [Azure Hybrid identity documentation](https://docs.microsoft.com/azure/active-directory/hybrid/). diff --git a/devices/hololens/hololens2-setup.md b/devices/hololens/hololens2-setup.md index 319644824d..79189a7cf6 100644 --- a/devices/hololens/hololens2-setup.md +++ b/devices/hololens/hololens2-setup.md @@ -62,7 +62,7 @@ To turn on your HoloLens 2, press the Power button. The LED lights below the Po | To turn on | Single button press. | All five lights turn on, then change to indicate the battery level. After four seconds, a sound plays. | | To sleep | Single button press. | All five lights turn on, then fade off one at a time. After the lights turn off, a sound plays and the screen displays "Goodbye." | | To wake from sleep | Single button press. | All five lights turn on, then change to indicate the battery level. A sound immediately plays. | -| To turn off | Press and for hold 5s. | All five lights turn on, then fade off one at a time. After the lights turn off, a sound plays and the screen displays "Goodbye." | +| To turn off | Press and hold for 5s. | All five lights turn on, then fade off one at a time. After the lights turn off, a sound plays and the screen displays "Goodbye." | | To force the Hololens to restart if it is unresponsive | Press and hold for 10s. | All five lights turn on, then fade off one at a time. After the lights turn off. | ## HoloLens behavior reference diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index 7f3793ed3f..88b0653b00 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -49,7 +49,8 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013 ```PowerShell New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) ``` -[!IMPORTANT] ActiveSync Virtual Directory Basic Authentication is required to be enabled as the Surface Hub is unable to authenticate using other authentication methods. +> [!IMPORTANT] +> ActiveSync Virtual Directory Basic Authentication is required to be enabled as the Surface Hub is unable to authenticate using other authentication methods. 3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy. diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md index 47c2ffed10..1761581ced 100644 --- a/devices/surface/microsoft-surface-brightness-control.md +++ b/devices/surface/microsoft-surface-brightness-control.md @@ -46,9 +46,14 @@ documentation](https://docs.microsoft.com/windows/desktop/sysinfo/registry). 1. Run regedit from a command prompt to open the Windows Registry Editor. - - Computer\HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Surface\Surface + - Computer\HKEY\_LOCAL\_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Surface\Surface Brightness Control\ - + + If you're running an older version of Surface Brightness control, run the following command instead: + + - Computer\HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Surface\Surface + Brightness Control\ + | Registry Setting | Data| Description |-----------|------------|--------------- diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index 104b12b126..751ea36a4d 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -50,9 +50,6 @@ You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firm > [!NOTE] > A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]" -> [!NOTE] -> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]" - For more information, refer to [Command line options](https://docs.microsoft.com/windows/win32/msi/command-line-options) documentation. > [!IMPORTANT] diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index f8dfc0e3c3..fbb49aae1f 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -206,7 +206,7 @@ This node is deprecated. Use **Biometrics/UseBiometrics** node instead. **Biometrics** (only for ./Device/Vendor/MSFT) Node for defining biometric settings. This node was added in Windows 10, version 1511. -*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).* +*Not supported on Windows Holographic and Windows Holographic for Business.* **Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT) Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511. @@ -217,7 +217,7 @@ Default value is true, enabling the biometric gestures for use with Windows Hell Supported operations are Add, Get, Delete, and Replace. -*Not supported on Windows Holographic and Windows Holographic for Business.* +*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).* **Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT) Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511. diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 58bf93fb63..64a83cf92a 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -14,10 +14,14 @@ ms.localizationpriority: medium # Policy CSP - Browser - +> [!NOTE] +> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
+> [!NOTE] +> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). + ## Browser policies diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md index 30c3b3aa9f..cfa669f4e5 100644 --- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md +++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md @@ -29,21 +29,11 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent ![register azuread](images/azure-ad-add-tenant11.png) -3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information. +3. On the **Admin center** page, under Admin Centers on the left, click **Azure Active Directory**. This will take you to the Azure Active Directory portal. - ![register azuread](images/azure-ad-add-tenant12.png) + ![Azure-AD-updated](https://user-images.githubusercontent.com/41186174/71594506-e4845300-2b40-11ea-9a08-c21c824e12a4.png) -4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**. - ![register azuread](images/azure-ad-add-tenant13.png) - -5. It may take a few minutes to process the request. - - ![register azuread](images/azure-ad-add-tenant14.png) - -6. You will see a welcome page when the process completes. - - ![register azuread](images/azure-ad-add-tenant15.png)   diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 81adf9756d..ae41811326 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -125,9 +125,9 @@ Starting with Windows 10, version 1703, using Settings to control the pause beha ## Configure when devices receive Quality Updates -Quality Updates are typically published on the first Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. +Quality updates are typically published on the first Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving Quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. -You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates. +You can set your system to receive updates for other Microsoft products—known as Microsoft updates (such as Microsoft Office, Visual Studio)—along with Windows updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft updates will follow the same deferral and pause rules as all other quality updates. >[!IMPORTANT] >This policy defers both Feature and Quality Updates on Windows 10 Mobile Enterprise. @@ -146,7 +146,7 @@ You can set your system to receive updates for other Microsoft products—known ## Pause quality updates -You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable quality Updates. Following this scan, you can then pause quality Updates for the device again. +You can also pause a system from receiving quality updates for a period of up to 35 days from when the value is set. After 35 days have passed, the pause setting will automatically expire and the device will scan Windows Update for applicable quality updates. Following this scan, you can then pause quality updates for the device again. Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. @@ -201,9 +201,9 @@ The policy settings to **Select when Feature Updates are received** allows you t * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* * MDM: **Update/BranchReadinessLevel** -## Exclude drivers from Quality Updates +## Exclude drivers from quality updates -Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy will not apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to Feature Updates, where drivers might be dynamically installed to ensure the Feature Update process can complete. +Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy will not apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to feature updates, where drivers might be dynamically installed to ensure the feature update process can complete. **Policy settings to exclude drivers** diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 4f6bf5db20..1b1a144c38 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -174,7 +174,7 @@ With all these options, which an organization chooses depends on the resources, | Windows Update | Yes (manual) | No | Delivery Optimization | None| | Windows Update for Business | Yes | No | Delivery Optimization | Other Group Policy objects | | WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability | -| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache | Distribution points, multiple deployment options | +| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache, or Delivery Optimization. For the latter, see [peer-to-peer content distribution](https://docs.microsoft.com/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#peer-to-peer-content-distribution) and [Optimize Windows 10 Update Delivery](https://docs.microsoft.com/windows/deployment/update/waas-optimize-windows-10-updates) | Distribution points, multiple deployment options | >[!NOTE] >Due to [naming changes](#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel. diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index 71ebf32bab..a4c6a01688 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -35,7 +35,7 @@ The following table describes some log files and how to use them for troubleshoo
- + @@ -52,7 +52,7 @@ setupapi.dev.log
Event logs (*.evtx)
Log filePhase: LocationDescriptionWhen to use
Log filePhase: LocationDescriptionWhen to use
setupact.logDown-Level:
$Windows.~BT\Sources\Panther		Contains information about setup actions during the downlevel phase. All down-level failures and starting point for rollback investigations.
This is the most important log for diagnosing setup issues.
OOBE:
$Windows.~BT\Sources\Panther\UnattendGC		 $Windows.~BT\Sources\RollbackAdditional logs collected during rollback. -Setupmem.dmp: If OS bugchecks during upgrade, setup will attempt to extract a mini-dump.
+Setupmem.dmp: If OS bug checks during upgrade, setup will attempt to extract a mini-dump.
Setupapi: Device install issues - 0x30018
Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.
diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index 7b336767e8..ed046d6920 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -513,9 +513,9 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m
- + + @@ -647,7 +647,7 @@ For detailed information on how to run these steps check out Error Codes +
Error code -Cause -Mitigation +Error codeCauseMitigation
CauseMitigation
Error CodesCauseMitigation
0x80070003- 0x20007 This is a failure during SafeOS phase driver installation. diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md index 5bb2a95e0c..9f3b61be3a 100644 --- a/windows/deployment/upgrade/upgrade-error-codes.md +++ b/windows/deployment/upgrade/upgrade-error-codes.md @@ -91,7 +91,7 @@ The following tables provide the corresponding phase and operation for values of
- + - - -
Extend code: phase
Extend code: phase
HexPhase
0SP_EXECUTION_UNKNOWN
1SP_EXECUTION_DOWNLEVEL @@ -103,7 +103,7 @@ The following tables provide the corresponding phase and operation for values of - + - - - - -
Extend code: operation
Extend code: operation
HexOperation diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 7a4fb81ed7..fb9fdbecee 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -1,1106 +1,1109 @@ ---- -title: Configure a test lab to deploy Windows 10 -ms.reviewer: -manager: laurawi -ms.audience: itpro author: greg-lindsay -description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -keywords: deployment, automate, tools, configure, mdt, sccm -ms.localizationpriority: medium -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Step by step guide: Configure a test lab to deploy Windows 10 - -**Applies to** - -- Windows 10 - -This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: - -- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
-- [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
- -The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance. - -Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software. - -Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment. - -> Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands. -> -> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell. - -Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting. - -## In this guide - -This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings. - -After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab. - -Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. - -
- -
- - - -
TopicDescriptionTime
Hardware and software requirementsPrerequisites to complete this guide.Informational -
Lab setupA description and diagram of the PoC environment.Informational -
Configure the PoC environmentParent topic for procedures.Informational -
Verify support and install Hyper-VVerify that installation of Hyper-V is supported, and install the Hyper-V server role.10 minutes -
Download VHD and ISO filesDownload evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.30 minutes -
Convert PC to VMConvert a physical computer on your network to a VM hosted in Hyper-V.30 minutes -
Resize VHDIncrease the storage capacity for one of the Windows Server VMs.5 minutes -
Configure Hyper-VCreate virtual switches, determine available RAM for virtual machines, and add virtual machines.15 minutes -
Configure service and user accountsStart virtual machines and configure all services and settings.60 minutes -
Configure VMsStart virtual machines and configure all services and settings.60 minutes -
Appendix A: Verify the configurationVerify and troubleshoot network connectivity and services in the PoC environment.30 minutes -
Appendix B: Terminology in this guideTerms used in this guide.Informational -
-
- -## Hardware and software requirements - -One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process. - -- **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor. -- **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2. - -Harware requirements are displayed below: - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Computer 1 (required)Computer 2 (recommended)
RoleHyper-V hostClient computer
DescriptionThis computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.
OSWindows 8.1/10 or Windows Server 2012/2012 R2/2016*Windows 7 or a later
EditionEnterprise, Professional, or EducationAny
Architecture64-bitAny
Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.
RAM8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT. -
16 GB RAM to test Windows 10 deployment with System Center Configuration Manager.		Any
Disk200 GB available hard disk space, any format.Any size, MBR formatted.
CPUSLAT-Capable CPUAny
NetworkInternet connectionAny
- - -\*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide. -
-
The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. - -
- -## Lab setup - -The lab architecture is summarized in the following diagram: - -![PoC](images/poc.png) - -- Computer 1 is configured to host four VMs on a private, PoC network. - - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. - - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario. - ->If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide. - -The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts. - -## Configure the PoC environment - ->**Hint**: Before you begin, ensure that Windows PowerShell is pinned to the taskbar for easy access. If the Hyper-V host is running Windows Server then Windows PowerShell is automatically pinned to the taskbar. To pin Windows PowerShell to the taskbar on Windows 8.1 or Windows 10: Click **Start**, type **power**, right click **Windows PowerShell**, and then click **Pin to taskbar**. After Windows PowerShell is pinned to the taskbar, you can open an elevated Windows PowerShell prompt by right-clicking the icon on the taskbar and then clicking **Run as Administrator**. - -### Procedures in this section - -[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
-[Download VHD and ISO files](#download-vhd-and-iso-files)
-[Convert PC to VM](#convert-pc-to-vm)
-[Resize VHD](#resize-vhd)
-[Configure Hyper-V](#configure-hyper-v)
-[Configure VMs](#configure-vms)
- -### Verify support and install Hyper-V - -Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. - -1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: - - 
-    C:\>systeminfo
-
-    ...
-    Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
-                               Virtualization Enabled In Firmware: Yes
-                               Second Level Address Translation: Yes
-                               Data Execution Prevention Available: Yes
-
- - In this example, the computer supports SLAT and Hyper-V. - - If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. - - You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example: - - 
-    C:\>coreinfo -v
-
-    Coreinfo v3.31 - Dump information on system CPU and memory topology
-    Copyright (C) 2008-2014 Mark Russinovich
-    Sysinternals - www.sysinternals.com
-
-    Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
-    Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
-    Microcode signature: 0000001B
-    HYPERVISOR      -       Hypervisor is present
-    VMX             *       Supports Intel hardware-assisted virtualization
-    EPT             *       Supports Intel extended page tables (SLAT)
-
- - Note: A 64-bit operating system is required to run Hyper-V. - -2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command: - - 
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All
- - This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command: - - 
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
- - When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt. - - >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: - - ![hyper-v feature](images/hyper-v-feature.png) - - ![hyper-v](images/svr_mgr2.png) - -

If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. - -### Download VHD and ISO files - -When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/) using your Microsoft account. - -1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory. - - **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately. - - After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below. - - - -
VHD
- -2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type. -3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**. -4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host. - - >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**. - -5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO. - -After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**. - -The following displays the procedures described in this section, both before and after downloading files: - -

-C:>mkdir VHD
-C:>cd VHD
-C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
-C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
-   1 file(s) copied.
-C:\VHD ren *.iso w10-enterprise.iso
-C:\VHD>dir /B
-2012R2-poc-1.vhd
-2012R2-poc-2.vhd
-w10-enterprise.iso
-
- -### Convert PC to VM - ->Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network. - -
-If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM: -
-
    -
  1. Open the Download virtual machines page. -
  2. Under Virtual machine, choose IE11 on Win7. -
  3. Under Select platform choose HyperV (Windows). -
  4. Click Download .zip. The download is 3.31 GB. -
  5. Extract the zip file. Three directories are created. -
  6. Open the Virtual Hard Disks directory and then copy IE11 - Win7.vhd to the C:\VHD directory. -
  7. Rename IE11 - Win7.vhd to w7.vhd (do not rename the file to w7.vhdx). -
  8. In step 5 of the Configure Hyper-V section, replace the VHD file name w7.vhdx with w7.vhd. -
-
- -If you have a PC available to convert to VM (computer 2): - -1. Sign in on computer 2 using an account with Administrator privileges. - ->Important: the account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network. - -2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required. -3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk). - -#### Determine the VM generation and partition type - -When creating a VM in Hyper-V, you must specify either generation 1 or generation 2. The following table describes requirements for these two types of VMs. - -
- - - - - - - - - - - - - - - - - - - - -
ArchitectureOperating systemPartition style
Generation 132-bit or 64-bitWindows 7 or laterMBR
Generation 264-bitWindows 8 or laterMBR or GPT
- -
- -If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM. - -- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**. -- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command: - -
-Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
- -If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT: - -
-PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
-SystemName                           Caption                                 Type
-----------                           -------                                 ----
-USER-PC1                             Disk #0, Partition #0                   GPT: System
-USER-PC1                             Disk #0, Partition #1                   GPT: Basic Data
-
- -On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format: - -
-PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
-SystemName                            Caption                               Type
-----------                            -------                               ----
-PC-X1                                 Disk #0, Partition #0                 GPT: Unknown
-PC-X1                                 Disk #0, Partition #1                 GPT: System
-PC-X1                                 Disk #0, Partition #2                 GPT: Basic Data
-PC-X1                                 Disk #0, Partition #3                 GPT: Basic Data
-PC-X1                                 Disk #0, Partition #4                 GPT: Basic Data
-
-PS C:> Get-Disk
-
-Number Friendly Name                  OperationalStatus                     Total Size Partition Style
------- -------------                  -----------------                     ---------- ---------------
-0      INTEL SSDSCMMW240A3L           Online                                223.57 GB GPT
-
- - - -**Choosing a VM generation** - -The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OSPartition styleArchitectureVM generationProcedure
Windows 7MBR321Prepare a generation 1 VM
641Prepare a generation 1 VM
GPT32N/AN/A
641Prepare a generation 1 VM from a GPT disk
Windows 8 or laterMBR321Prepare a generation 1 VM
641, 2Prepare a generation 1 VM
GPT321Prepare a generation 1 VM from a GPT disk
642Prepare a generation 2 VM
- -
- -Notes:
-
    -
  • If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see Prepare a generation 1 VM from a GPT disk. -
  • If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see Prepare a generation 2 VM. -
  • If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see Prepare a generation 1 VM. -
- -#### Prepare a generation 1 VM - -1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. - - >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. - -2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. -3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation). -4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example: - - ![disk2vhd](images/disk2vhd.png) - - >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. - -5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: - - 
-    C:\vhd>dir /B
-    2012R2-poc-1.vhd
-    2012R2-poc-2.vhd
-    w10-enterprise.iso
-    w7.VHDX
-
- -#### Prepare a generation 2 VM - -1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. - - >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. - -2. On the computer you wish to convert, open an elevated command prompt and type the following command: - - 
mountvol s: /s
- - This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s). - -3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. -4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected. - - **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired. - -5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example: - - ![disk2vhd](images/disk2vhd-gen2.png) - - >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. - -6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: - - 
-    C:\vhd>dir /B
-    2012R2-poc-1.vhd
-    2012R2-poc-2.vhd
-    w10-enterprise.iso
-    PC1.VHDX
-
- -#### Prepare a generation 1 VM from a GPT disk - -1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. - - >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. - -2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. -3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later. -4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example: - - ![disk2vhd](images/disk2vhd4.png) - - >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. - -5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: - - 
-    C:\vhd>dir /B
-    2012R2-poc-1.vhd
-    2012R2-poc-2.vhd
-    w10-enterprise.iso
-    w7.VHD
-
- - >In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section. - -### Resize VHD - -
-Enhanced session mode - -**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. - -To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - -
Set-VMhost -EnableEnhancedSessionMode $TRUE
- ->If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. - -
- -The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images. - -1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - 
-    Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 100GB
-    $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
-    Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
-
- -2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive: - - 
-    Get-Volume -DriveLetter $x
-    Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd
- -### Configure Hyper-V - -1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external": - - >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
-    A) Remove the existing external virtual switch, then add the poc-external switch
-    B) Rename the existing external switch to "poc-external"
-    C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
- If you choose B) or C), then do not run the second command below. - - 
-    New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
-    New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
-
- - **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host. - - >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External" - -2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host: - - 
-    (Get-VMHostNumaNode).MemoryAvailable
-
- - This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory. - -3. Determine the available memory for VMs by dividing the available RAM by 4. For example: - - 
-    (Get-VMHostNumaNode).MemoryAvailable/4
-    2775.5
-
- - In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously. - -4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later. - >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step. - - 
-    $maxRAM = 2700MB
-    New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
-    Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName DC1
-    New-VM -Name "SRV1" -VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal
-    Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external"
-    Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1
-
- - **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues. - -5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT. - - To create a generation 1 VM (using c:\vhd\w7.vhdx): - - 
-    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
-    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-
- - To create a generation 2 VM (using c:\vhd\PC1.vhdx): - - 
-    New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
-    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-
- - To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd): - - >Note: The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed. - - First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands: - - 
-    New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
-    Mount-VHD -Passthru |
-    Get-Disk -Number {$_.DiskNumber} |
-    Initialize-Disk -PartitionStyle MBR -PassThru |
-    New-Partition -UseMaximumSize |
-    Format-Volume -Confirm:$false -FileSystem NTFS -force
-    Dismount-VHD -Path c:\vhd\d.vhd
-
- - Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell promt): - - 
-    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
-    Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
-    Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
-    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
-    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-    Start-VM PC1
-    vmconnect localhost PC1
-
- - The VM will automatically boot into Windows Setup. In the PC1 window: - - 1. Click **Next**. - 2. Click **Repair your computer**. - 3. Click **Troubleshoot**. - 4. Click **Command Prompt**. - 5. Type the following command to save an image of the OS drive: - - 
-      dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
-
- - 6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR: - - 
-      diskpart
-      select disk 0
-      clean
-      convert MBR
-      create partition primary size=100
-      format fs=ntfs quick
-      active
-      create partition primary
-      format fs=ntfs quick label=OS
-      assign letter=c
-      exit
-
- - 7. Type the following commands to restore the OS image and boot files: - - 
-      dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
-      bcdboot c:\windows
-      exit
-
- - 8. Click **Continue** and verify the VM boots successfully (do not boot from DVD). - 9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**. - 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1: - - 
-       Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
-       Set-VMDvdDrive -VMName PC1 -Path $null
-
- -### Configure VMs - -1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands: - - 
-    Start-VM DC1
-    vmconnect localhost DC1
-
- -2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**. -3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account. -4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM. -5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway: - - 
-    Rename-Computer DC1
-    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2
-    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
-
- - > The default gateway at 192.168.0.2 will be configured later in this guide. - > - > Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt. - -6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt: - - 
-    Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
-
- -7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt: - - 
-    Restart-Computer
-
- -8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt: - - 
-    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
-    Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
-
- - Ignore any warnings that are displayed. The computer will automatically reboot upon completion. - -9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert: - - 
-    Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
-    Add-WindowsFeature -Name DHCP -IncludeManagementTools
-    netsh dhcp add securitygroups
-    Restart-Service DHCPServer
-    Add-DhcpServerInDC  dc1.contoso.com  192.168.0.1
-    Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2
-
- -10. Next, add a DHCP scope and set option values: - - 
-    Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
-    Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
-
- - >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0. - -11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1: - - 
-    Get-DnsServerForwarder
-
- - The following output should be displayed: - - 
-    UseRootHint        : True
-    Timeout(s)         : 3
-    EnableReordering   : True
-    IPAddress          : 192.168.0.2
-    ReorderedIPAddress : 192.168.0.2
-
- - If this output is not displayed, you can use the following command to add SRV1 as a forwarder: - - 
-    Add-DnsServerForwarder -IPAddress 192.168.0.2
-
- - **Configure service and user accounts** - - Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. - - >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - - On DC1, open an elevated Windows PowerShell prompt and type the following commands: - - 
-    New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-    Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
-    Set-ADUser -Identity user1 -PasswordNeverExpires $true
-    Set-ADUser -Identity administrator -PasswordNeverExpires $true
-    Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
-    Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
-    Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
-
- -12. Minimize the DC1 VM window but **do not stop** the VM. - - Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain. - -13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it: - - 
-    Start-VM PC1
-    vmconnect localhost PC1
-
- -14. Sign in to PC1 using an account that has local administrator rights. - - >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account. - -15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area. - - ![PoC](images/installing-drivers.png) - - >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. - -16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**. - -17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller. - - To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows Powershell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection: - - ``` - ipconfig - - Windows IP Configuration - - Ethernet adapter Local Area Connection 3: - Connection-specific DNS Suffix . : contoso.com - Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18 - Ipv4 Address. . . . . . . . . . . : 192.168.0.101 - Subnet Mask . . . . . . . . . . . : 255.255.255.0 - Default Gateway . . . . . . . . . : 192.168.0.2 - - ping dc1.contoso.com - - Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data: - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - - nltest /dsgetdc:contoso.com - DC: \\DC1 - Address: \\192.168.0.1 - Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8 - Dom Name: CONTOSO - Forest Name: contoso.com - Dc Site Name: Default-First-Site-Name - Our Site Name: Default-First-Site-Name - Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000 - ``` - - >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them. - -18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane: - - 
-    (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
-    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
-    $user = "contoso\administrator"
-    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
-    Add-Computer -DomainName contoso.com -Credential $cred
-    Restart-Computer
-
- - >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**. - - See the following example: - - ![ISE](images/ISE.png) - -19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host. -20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1: - - 
-    Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
-    Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1"  –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
-
- - >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. - - If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file. - -21. On PC1, type the following commands at an elevated Windows PowerShell prompt: - - 
-    Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
-
- - >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer. - -22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section. - >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing. -23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. -24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands: - - 
-    Start-VM SRV1
-    vmconnect localhost SRV1
-
- -25. Accept the default settings, read license terms and accept them, provide an administrator password of pass@word1, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**. -26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM. -27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands: - - 
-    Rename-Computer SRV1
-    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24
-    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
-    Restart-Computer
-
- - >[!IMPORTANT] - >Verify that you are configuring the correct interface in this step. The commands in this step assume that the poc-internal interface on SRV1 is named "Ethernet." If you are unsure how to check the interface, see step #30 below for instructions and tips on how to verify and modify the interface name. - -28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt: - - 
-    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
-    $user = "contoso\administrator"
-    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
-    Add-Computer -DomainName contoso.com -Credential $cred
-    Restart-Computer
-
- -29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands: - - 
-    Install-WindowsFeature -Name DNS -IncludeManagementTools
-    Install-WindowsFeature -Name WDS -IncludeManagementTools
-    Install-WindowsFeature -Name Routing -IncludeManagementTools
-
- -30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease. - - To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below: - - 
-    Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
-
-    IPAddress                                                                  InterfaceAlias
-    ---------                                                                  --------------
-    10.137.130.118                                                             Ethernet 2
-    192.168.0.2                                                                Ethernet
-
- - In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings. - - >[!TIP] - >Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name. - - -31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1: - - 
-    Install-RemoteAccess -VpnType Vpn
-    cmd /c netsh routing ip nat install
-    cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
-    cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
-    cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
-
- -32. The DNS service on SRV1 also needs to resolve hosts in the contoso.com domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command: - - 
-    Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
-
- -33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example: - - 
-    ping www.microsoft.com
-
- - If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command. - - **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name: - - 
-    Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
-
- -34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK): - - 
-    PS C:\> ping www.microsoft.com
-
-    Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
-    Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
-    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
-    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
-    Reply from 23.222.146.170: bytes=32 time=1ms TTL=51
-
-    Ping statistics for 23.222.146.170:
-        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
-    Approximate round trip times in milli-seconds:
-        Minimum = 1ms, Maximum = 3ms, Average = 2ms
-
- -35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information. -36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1: - - 
-    runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
-    Restart-Computer
-
- -This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides. - -## Appendix A: Verify the configuration - -Use the following procedures to verify that the PoC environment is configured properly and working as expected. - -1. On DC1, open an elevated Windows PowerShell prompt and type the following commands: - - 
-    Get-Service NTDS,DNS,DHCP
-    DCDiag -a
-    Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
-    Get-DnsServerForwarder
-    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
-    Get-DhcpServerInDC
-    Get-DhcpServerv4Statistics
-    ipconfig /all
-
- - **Get-Service** displays a status of "Running" for all three services.
- **DCDiag** displays "passed test" for all tests.
- **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
- **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
- **Resolve-DnsName** displays public IP address results for www.microsoft.com.
- **Get-DhcpServerInDC** displays 192.168.0.1, dc1.contoso.com.
- **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
- **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2. - -2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: - - 
-    Get-Service DNS,RemoteAccess
-    Get-DnsServerForwarder
-    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
-    ipconfig /all
-    netsh int ipv4 show address
-
- - **Get-Service** displays a status of "Running" for both services.
- **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
- **Resolve-DnsName** displays public IP address results for www.microsoft.com.
- **ipconfig** displays a primary DNS suffix of contoso.com. The suffix search list contains contoso.com and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
- **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1. - -3. On PC1, open an elevated Windows PowerShell prompt and type the following commands: - - 
-    whoami
-    hostname
-    nslookup www.microsoft.com
-    ping -n 1 dc1.contoso.com
-    tracert www.microsoft.com
-
- - **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
- **hostname** displays the name of the local computer, for example W7PC-001.
- **nslookup** displays the DNS server used for the query, and the results of the query. For example, server dc1.contoso.com, address 192.168.0.1, Name e2847.dspb.akamaiedge.net.
- **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be diplayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
- **tracert** displays the path to reach the destination, for example srv1.contoso.com [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. - - -## Appendix B: Terminology used in this guide - -

  - -

- - -
TermDefinition -
GPTGUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. -
Hyper-VHyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8. -
Hyper-V hostThe computer where Hyper-V is installed. -
Hyper-V ManagerThe user-interface console used to view and configure Hyper-V. -
MBRMaster Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format. -
Proof of concept (PoC)Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process. -
Shadow copyA copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes. -
Virtual machine (VM)A VM is a virtual computer with its own operating system, running on the Hyper-V host. -
Virtual switchA virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host. -
VM snapshotA point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken. -
- -
- -## Related Topics - - -[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) - - - - - - - - +--- +title: Configure a test lab to deploy Windows 10 +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +keywords: deployment, automate, tools, configure, mdt, sccm +ms.localizationpriority: medium +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Step by step guide: Configure a test lab to deploy Windows 10 + +**Applies to** + +- Windows 10 + +This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: + +- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
+- [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+ +The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance. + +Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software. + +Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment. + +> Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands. +> +> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell. + +Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting. + +## In this guide + +This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings. + +After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab. + +Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. + +
+ +
+ + + +
TopicDescriptionTime
Hardware and software requirementsPrerequisites to complete this guide.Informational +
Lab setupA description and diagram of the PoC environment.Informational +
Configure the PoC environmentParent topic for procedures.Informational +
Verify support and install Hyper-VVerify that installation of Hyper-V is supported, and install the Hyper-V server role.10 minutes +
Download VHD and ISO filesDownload evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.30 minutes +
Convert PC to VMConvert a physical computer on your network to a VM hosted in Hyper-V.30 minutes +
Resize VHDIncrease the storage capacity for one of the Windows Server VMs.5 minutes +
Configure Hyper-VCreate virtual switches, determine available RAM for virtual machines, and add virtual machines.15 minutes +
Configure service and user accountsStart virtual machines and configure all services and settings.60 minutes +
Configure VMsStart virtual machines and configure all services and settings.60 minutes +
Appendix A: Verify the configurationVerify and troubleshoot network connectivity and services in the PoC environment.30 minutes +
Appendix B: Terminology in this guideTerms used in this guide.Informational +
+
+ +## Hardware and software requirements + +One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process. + +- **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor. +- **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2. + +Hardware requirements are displayed below: + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Computer 1 (required)Computer 2 (recommended)
RoleHyper-V hostClient computer
DescriptionThis computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.
OSWindows 8.1/10 or Windows Server 2012/2012 R2/2016*Windows 7 or a later
EditionEnterprise, Professional, or EducationAny
Architecture64-bitAny
Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.
RAM8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT. +
16 GB RAM to test Windows 10 deployment with System Center Configuration Manager.		Any
Disk200 GB available hard disk space, any format.Any size, MBR formatted.
CPUSLAT-Capable CPUAny
NetworkInternet connectionAny
+ + +\*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide. +
+
The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. + +
+ +## Lab setup + +The lab architecture is summarized in the following diagram: + +![PoC](images/poc.png) + +- Computer 1 is configured to host four VMs on a private, PoC network. + - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. + - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario. + +>If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide. + +The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts. + +## Configure the PoC environment + +>**Hint**: Before you begin, ensure that Windows PowerShell is pinned to the taskbar for easy access. If the Hyper-V host is running Windows Server then Windows PowerShell is automatically pinned to the taskbar. To pin Windows PowerShell to the taskbar on Windows 8.1 or Windows 10: Click **Start**, type **power**, right click **Windows PowerShell**, and then click **Pin to taskbar**. After Windows PowerShell is pinned to the taskbar, you can open an elevated Windows PowerShell prompt by right-clicking the icon on the taskbar and then clicking **Run as Administrator**. + +### Procedures in this section + +[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
+[Download VHD and ISO files](#download-vhd-and-iso-files)
+[Convert PC to VM](#convert-pc-to-vm)
+[Resize VHD](#resize-vhd)
+[Configure Hyper-V](#configure-hyper-v)
+[Configure VMs](#configure-vms)
+ +### Verify support and install Hyper-V + +Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. + +1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: + + 
+    C:\>systeminfo
+
+    ...
+    Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
+                               Virtualization Enabled In Firmware: Yes
+                               Second Level Address Translation: Yes
+                               Data Execution Prevention Available: Yes
+
+ + In this example, the computer supports SLAT and Hyper-V. + + If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. + + You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example: + + 
+    C:\>coreinfo -v
+
+    Coreinfo v3.31 - Dump information on system CPU and memory topology
+    Copyright (C) 2008-2014 Mark Russinovich
+    Sysinternals - www.sysinternals.com
+
+    Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
+    Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
+    Microcode signature: 0000001B
+    HYPERVISOR      -       Hypervisor is present
+    VMX             *       Supports Intel hardware-assisted virtualization
+    EPT             *       Supports Intel extended page tables (SLAT)
+
+ + Note: A 64-bit operating system is required to run Hyper-V. + +2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command: + + 
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All
+ + This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command: + + 
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
+ + When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt. + + >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: + + ![hyper-v feature](images/hyper-v-feature.png) + + ![hyper-v](images/svr_mgr2.png) + +

If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. + +### Download VHD and ISO files + +When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/) using your Microsoft account. + +1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory. + + **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately. + + After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below. + + + +
VHD
+ +2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type. +3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**. +4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host. + + >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**. + +5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO. + +After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**. + +The following displays the procedures described in this section, both before and after downloading files: + +

+C:>mkdir VHD
+C:>cd VHD
+C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
+C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
+   1 file(s) copied.
+C:\VHD ren *.iso w10-enterprise.iso
+C:\VHD>dir /B
+2012R2-poc-1.vhd
+2012R2-poc-2.vhd
+w10-enterprise.iso
+
+ +### Convert PC to VM + +>Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network. + +
+If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM: +
+
    +
  1. Open the Download virtual machines page. +
  2. Under Virtual machine, choose IE11 on Win7. +
  3. Under Select platform choose HyperV (Windows). +
  4. Click Download .zip. The download is 3.31 GB. +
  5. Extract the zip file. Three directories are created. +
  6. Open the Virtual Hard Disks directory and then copy IE11 - Win7.vhd to the C:\VHD directory. +
  7. Rename IE11 - Win7.vhd to w7.vhd (do not rename the file to w7.vhdx). +
  8. In step 5 of the Configure Hyper-V section, replace the VHD file name w7.vhdx with w7.vhd. +
+
+ +If you have a PC available to convert to VM (computer 2): + +1. Sign in on computer 2 using an account with Administrator privileges. + +>Important: the account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network. + +2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required. +3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk). + +#### Determine the VM generation and partition type + +When creating a VM in Hyper-V, you must specify either generation 1 or generation 2. The following table describes requirements for these two types of VMs. + +
+ + + + + + + + + + + + + + + + + + + + +
ArchitectureOperating systemPartition style
Generation 132-bit or 64-bitWindows 7 or laterMBR
Generation 264-bitWindows 8 or laterMBR or GPT
+ +
+ +If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM. + +- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**. +- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command: + +
+Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
+ +If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT: + +
+PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
+SystemName                           Caption                                 Type
+----------                           -------                                 ----
+USER-PC1                             Disk #0, Partition #0                   GPT: System
+USER-PC1                             Disk #0, Partition #1                   GPT: Basic Data
+
+ +On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format: + +
+PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
+SystemName                            Caption                               Type
+----------                            -------                               ----
+PC-X1                                 Disk #0, Partition #0                 GPT: Unknown
+PC-X1                                 Disk #0, Partition #1                 GPT: System
+PC-X1                                 Disk #0, Partition #2                 GPT: Basic Data
+PC-X1                                 Disk #0, Partition #3                 GPT: Basic Data
+PC-X1                                 Disk #0, Partition #4                 GPT: Basic Data
+
+PS C:> Get-Disk
+
+Number Friendly Name                  OperationalStatus                     Total Size Partition Style
+------ -------------                  -----------------                     ---------- ---------------
+0      INTEL SSDSCMMW240A3L           Online                                223.57 GB GPT
+
+ + + +**Choosing a VM generation** + +The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
OSPartition styleArchitectureVM generationProcedure
Windows 7MBR321Prepare a generation 1 VM
641Prepare a generation 1 VM
GPT32N/AN/A
641Prepare a generation 1 VM from a GPT disk
Windows 8 or laterMBR321Prepare a generation 1 VM
641, 2Prepare a generation 1 VM
GPT321Prepare a generation 1 VM from a GPT disk
642Prepare a generation 2 VM
+ +
+ +Notes:
+
    +
  • If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see Prepare a generation 1 VM from a GPT disk. +
  • If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see Prepare a generation 2 VM. +
  • If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see Prepare a generation 1 VM. +
+ +#### Prepare a generation 1 VM + +1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. + + >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. + +2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. +3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation). +4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example: + + ![disk2vhd](images/disk2vhd.png) + + >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + +5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: + + 
+    C:\vhd>dir /B
+    2012R2-poc-1.vhd
+    2012R2-poc-2.vhd
+    w10-enterprise.iso
+    w7.VHDX
+
+ +#### Prepare a generation 2 VM + +1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. + + >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. + +2. On the computer you wish to convert, open an elevated command prompt and type the following command: + + 
mountvol s: /s
+ + This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s). + +3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. +4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected. + + **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired. + +5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example: + + ![disk2vhd](images/disk2vhd-gen2.png) + + >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + +6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: + + 
+    C:\vhd>dir /B
+    2012R2-poc-1.vhd
+    2012R2-poc-2.vhd
+    w10-enterprise.iso
+    PC1.VHDX
+
+ +#### Prepare a generation 1 VM from a GPT disk + +1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert. + + >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. + +2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. +3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later. +4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example: + + ![disk2vhd](images/disk2vhd4.png) + + >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + +5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: + + 
+    C:\vhd>dir /B
+    2012R2-poc-1.vhd
+    2012R2-poc-2.vhd
+    w10-enterprise.iso
+    w7.VHD
+
+ + >In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section. + +### Resize VHD + +
+Enhanced session mode + +**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. + +To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: + +
Set-VMhost -EnableEnhancedSessionMode $TRUE
+ +>If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. + +
+ +The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images. + +1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + + 
+    Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 100GB
+    $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
+    Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
+
+ +2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive: + + 
+    Get-Volume -DriveLetter $x
+    Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd
+ +### Configure Hyper-V + +1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external": + + >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
+    A) Remove the existing external virtual switch, then add the poc-external switch
+    B) Rename the existing external switch to "poc-external"
+    C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
+ If you choose B) or C), then do not run the second command below. + + 
+    New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
+    New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
+
+ + **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host. + + >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External" + +2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host: + + 
+    (Get-VMHostNumaNode).MemoryAvailable
+
+ + This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory. + +3. Determine the available memory for VMs by dividing the available RAM by 4. For example: + + 
+    (Get-VMHostNumaNode).MemoryAvailable/4
+    2775.5
+
+ + In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously. + +4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later. + >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step. + + 
+    $maxRAM = 2700MB
+    New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
+    Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName DC1
+    New-VM -Name "SRV1" -VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal
+    Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external"
+    Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1
+
+ + **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues. + +5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT. + + To create a generation 1 VM (using c:\vhd\w7.vhdx): + + 
+    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
+    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+
+ + To create a generation 2 VM (using c:\vhd\PC1.vhdx): + + 
+    New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
+    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+
+ + To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd): + + >Note: The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed. + + First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands: + + 
+    New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
+    Mount-VHD -Passthru |
+    Get-Disk -Number {$_.DiskNumber} |
+    Initialize-Disk -PartitionStyle MBR -PassThru |
+    New-Partition -UseMaximumSize |
+    Format-Volume -Confirm:$false -FileSystem NTFS -force
+    Dismount-VHD -Path c:\vhd\d.vhd
+
+ + Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell prompt): + + 
+    New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
+    Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
+    Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
+    Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+    Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+    Start-VM PC1
+    vmconnect localhost PC1
+
+ + The VM will automatically boot into Windows Setup. In the PC1 window: + + 1. Click **Next**. + 2. Click **Repair your computer**. + 3. Click **Troubleshoot**. + 4. Click **Command Prompt**. + 5. Type the following command to save an image of the OS drive: + + 
+      dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
+
+ + 6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR: + + 
+      diskpart
+      select disk 0
+      clean
+      convert MBR
+      create partition primary size=100
+      format fs=ntfs quick
+      active
+      create partition primary
+      format fs=ntfs quick label=OS
+      assign letter=c
+      exit
+
+ + 7. Type the following commands to restore the OS image and boot files: + + 
+      dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
+      bcdboot c:\windows
+      exit
+
+ + 8. Click **Continue** and verify the VM boots successfully (do not boot from DVD). + 9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**. + 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1: + + 
+       Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
+       Set-VMDvdDrive -VMName PC1 -Path $null
+
+ +### Configure VMs + +1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands: + + 
+    Start-VM DC1
+    vmconnect localhost DC1
+
+ +2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**. +3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account. +4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM. +5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway: + + 
+    Rename-Computer DC1
+    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2
+    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
+
+ + > The default gateway at 192.168.0.2 will be configured later in this guide. + > + > Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt. + +6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt: + + 
+    Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
+
+ +7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt: + + 
+    Restart-Computer
+
+ +8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt: + + 
+    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+    Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
+
+ + Ignore any warnings that are displayed. The computer will automatically reboot upon completion. + +9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert: + + 
+    Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
+    Add-WindowsFeature -Name DHCP -IncludeManagementTools
+    netsh dhcp add securitygroups
+    Restart-Service DHCPServer
+    Add-DhcpServerInDC  dc1.contoso.com  192.168.0.1
+    Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2
+
+ +10. Next, add a DHCP scope and set option values: + + 
+    Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
+    Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
+
+ + >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0. + +11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1: + + 
+    Get-DnsServerForwarder
+
+ + The following output should be displayed: + + 
+    UseRootHint        : True
+    Timeout(s)         : 3
+    EnableReordering   : True
+    IPAddress          : 192.168.0.2
+    ReorderedIPAddress : 192.168.0.2
+
+ + If this output is not displayed, you can use the following command to add SRV1 as a forwarder: + + 
+    Add-DnsServerForwarder -IPAddress 192.168.0.2
+
+ + **Configure service and user accounts** + + Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. + + >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + + On DC1, open an elevated Windows PowerShell prompt and type the following commands: + + 
+    New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
+    Set-ADUser -Identity user1 -PasswordNeverExpires $true
+    Set-ADUser -Identity administrator -PasswordNeverExpires $true
+    Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
+
+ +12. Minimize the DC1 VM window but **do not stop** the VM. + + Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain. + +13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it: + + 
+    Start-VM PC1
+    vmconnect localhost PC1
+
+ +14. Sign in to PC1 using an account that has local administrator rights. + + >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account. + +15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area. + + ![PoC](images/installing-drivers.png) + + >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. + +16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**. + +17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller. + + To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows PowerShell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection: + + ``` + ipconfig + + Windows IP Configuration + + Ethernet adapter Local Area Connection 3: + Connection-specific DNS Suffix . : contoso.com + Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18 + Ipv4 Address. . . . . . . . . . . : 192.168.0.101 + Subnet Mask . . . . . . . . . . . : 255.255.255.0 + Default Gateway . . . . . . . . . : 192.168.0.2 + + ping dc1.contoso.com + + Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data: + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 + + nltest /dsgetdc:contoso.com + DC: \\DC1 + Address: \\192.168.0.1 + Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8 + Dom Name: CONTOSO + Forest Name: contoso.com + Dc Site Name: Default-First-Site-Name + Our Site Name: Default-First-Site-Name + Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000 + ``` + + >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them. + +18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane: + + 
+    (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
+    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+    $user = "contoso\administrator"
+    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
+    Add-Computer -DomainName contoso.com -Credential $cred
+    Restart-Computer
+
+ + >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**. + + See the following example: + + ![ISE](images/ISE.png) + +19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host. +20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1: + + 
+    Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
+    Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1"  –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
+
+ + >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. + + If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file. + +21. On PC1, type the following commands at an elevated Windows PowerShell prompt: + + 
+    Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
+
+ + >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer. + +22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section. + >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing. +23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. +24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands: + + 
+    Start-VM SRV1
+    vmconnect localhost SRV1
+
+ +25. Accept the default settings, read license terms and accept them, provide an administrator password of pass@word1, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**. +26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM. +27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands: + + 
+    Rename-Computer SRV1
+    New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24
+    Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
+    Restart-Computer
+
+ + >[!IMPORTANT] + >Verify that you are configuring the correct interface in this step. The commands in this step assume that the poc-internal interface on SRV1 is named "Ethernet." If you are unsure how to check the interface, see step #30 below for instructions and tips on how to verify and modify the interface name. + +28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt: + + 
+    $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+    $user = "contoso\administrator"
+    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
+    Add-Computer -DomainName contoso.com -Credential $cred
+    Restart-Computer
+
+ +29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands: + + 
+    Install-WindowsFeature -Name DNS -IncludeManagementTools
+    Install-WindowsFeature -Name WDS -IncludeManagementTools
+    Install-WindowsFeature -Name Routing -IncludeManagementTools
+
+ +30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease. + + To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below: + + 
+    Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
+
+    IPAddress                                                                  InterfaceAlias
+    ---------                                                                  --------------
+    10.137.130.118                                                             Ethernet 2
+    192.168.0.2                                                                Ethernet
+
+ + In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings. + + >[!TIP] + >Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name. + + +31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1: + + 
+    Install-RemoteAccess -VpnType Vpn
+    cmd /c netsh routing ip nat install
+    cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
+    cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
+    cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
+
+ +32. The DNS service on SRV1 also needs to resolve hosts in the `contoso.com` domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command: + + 
+    Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
+
+ +33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example: + + 
+    ping www.microsoft.com
+
+ + If you see "Ping request could not find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command. + + **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name: + + 
+    Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
+
+ +34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK): + + 
+    PS C:\> ping www.microsoft.com
+
+    Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
+    Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
+    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
+    Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
+    Reply from 23.222.146.170: bytes=32 time=1ms TTL=51
+
+    Ping statistics for 23.222.146.170:
+        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
+    Approximate round trip times in milli-seconds:
+        Minimum = 1ms, Maximum = 3ms, Average = 2ms
+
+ +35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information. +36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1: + + 
+    runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
+    Restart-Computer
+
+ +This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides. + +## Appendix A: Verify the configuration + +Use the following procedures to verify that the PoC environment is configured properly and working as expected. + +1. On DC1, open an elevated Windows PowerShell prompt and type the following commands: + + 
+    Get-Service NTDS,DNS,DHCP
+    DCDiag -a
+    Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
+    Get-DnsServerForwarder
+    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
+    Get-DhcpServerInDC
+    Get-DhcpServerv4Statistics
+    ipconfig /all
+
+ + **Get-Service** displays a status of "Running" for all three services.
+ **DCDiag** displays "passed test" for all tests.
+ **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
+ **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
+ **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.
+ **Get-DhcpServerInDC** displays 192.168.0.1, `dc1.contoso.com`.
+ **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
+ **ipconfig** displays a primary DNS suffix and suffix search list of `contoso.com`, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2. + +2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: + + 
+    Get-Service DNS,RemoteAccess
+    Get-DnsServerForwarder
+    Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
+    ipconfig /all
+    netsh int ipv4 show address
+
+ + **Get-Service** displays a status of "Running" for both services.
+ **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
+ **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.
+ **ipconfig** displays a primary DNS suffix of `contoso.com`. The suffix search list contains `contoso.com` and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
+ **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1. + +3. On PC1, open an elevated Windows PowerShell prompt and type the following commands: + + 
+    whoami
+    hostname
+    nslookup www.microsoft.com
+    ping -n 1 dc1.contoso.com
+    tracert www.microsoft.com
+
+ + **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
+ **hostname** displays the name of the local computer, for example W7PC-001.
+ **nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.
+ **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be displayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
+ **tracert** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. + + +## Appendix B: Terminology used in this guide + +

  + +

+ + +
Term +Definition +
GPTGUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. +
Hyper-VHyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8. +
Hyper-V hostThe computer where Hyper-V is installed. +
Hyper-V ManagerThe user-interface console used to view and configure Hyper-V. +
MBRMaster Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format. +
Proof of concept (PoC)Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process. +
Shadow copyA copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes. +
Virtual machine (VM)A VM is a virtual computer with its own operating system, running on the Hyper-V host. +
Virtual switchA virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host. +
VM snapshotA point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken. +
+ +
+ +## Related Topics + + +[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) + + + + + + + + diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md index 86c2c3e316..4d7af27528 100644 --- a/windows/deployment/windows-autopilot/add-devices.md +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -104,13 +104,13 @@ Once the hardware IDs have been captured from existing devices, they can be uplo - [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles). You might already be using MSfB to manage your apps and settings. A summary of each platform's capabilities is provided below. - +
- + + + diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md index 0fd535d10e..a5c02be0ef 100644 --- a/windows/deployment/windows-autopilot/existing-devices.md +++ b/windows/deployment/windows-autopilot/existing-devices.md @@ -68,15 +68,16 @@ See the following examples. Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force Install-Module AzureAD -Force Install-Module WindowsAutopilotIntune -Force + Install-Module Microsoft.Graph.Intune -Force ``` - + 3. Enter the following lines and provide Intune administrative credentials - - In the following command, replace the example user principal name for Azure authentication (admin@M365x373186.onmicrosoft.com) with your user account. Be sure that the user account you specify has sufficient administrative rights. + - Be sure that the user account you specify has sufficient administrative rights. ```powershell - Connect-MSGraph -user admin@M365x373186.onmicrosoft.com + Connect-MSGraph ``` - The password for your account will be requested using a standard Azure AD form. Type your password and then click **Sign in**. + The user and password for your account will be requested using a standard Azure AD form. Type your username and password and then click **Sign in**.
See the following example: ![Azure AD authentication](images/pwd.png) diff --git a/windows/release-information/resolved-issues-windows-10-1507.yml b/windows/release-information/resolved-issues-windows-10-1507.yml index d782b8d33e..1469d2dcf0 100644 --- a/windows/release-information/resolved-issues-windows-10-1507.yml +++ b/windows/release-information/resolved-issues-windows-10-1507.yml @@ -35,7 +35,6 @@ sections: -
Platform/Portal -Register devices? -Create/Assign profile -Acceptable DeviceID +Platform/PortalRegister devices?Create/Assign profileAcceptable DeviceID
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		OS Build 10240.18334

September 23, 2019
KB4522009		Resolved
KB4520011		October 08, 2019
10:00 AM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >		OS Build 10240.18305

August 13, 2019
KB4512497		Resolved
KB4517276		August 17, 2019
02:00 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved External
August 09, 2019
07:03 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved
KB4507458		July 09, 2019
10:00 AM PT
" @@ -64,12 +63,3 @@ sections:
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503291) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" - -- title: June 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4507458.

Back to top		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved
KB4507458		Resolved:
July 09, 2019
10:00 AM PT

Opened:
June 12, 2019
11:11 AM PT
- " diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml index 84bc5ffff2..404538ea70 100644 --- a/windows/release-information/resolved-issues-windows-10-1607.yml +++ b/windows/release-information/resolved-issues-windows-10-1607.yml @@ -42,11 +42,6 @@ sections:
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved External
August 09, 2019
07:03 PM PT
SCVMM cannot enumerate and manage logical switches deployed on the host
System Center Virtual Machine Manager cannot enumerate and manage logical switches deployed on managed hosts.

See details >		OS Build 14393.2639

November 27, 2018
KB4467684		Resolved
KB4507459		July 16, 2019
10:00 AM PT
Some applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)

See details >		OS Build 14393.2941

April 25, 2019
KB4493473		Resolved
KB4507459		July 16, 2019
10:00 AM PT
Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.

See details >		OS Build 14393.2969

May 14, 2019
KB4494440		Resolved
KB4507460		July 09, 2019
10:00 AM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >		OS Build 14393.2999

May 23, 2019
KB4499177		Resolved
KB4509475		June 27, 2019
02:00 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved
KB4503294		June 18, 2019
02:00 PM PT
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

See details >		OS Build 14393.2999

May 23, 2019
KB4499177		Resolved
KB4503267		June 11, 2019
10:00 AM PT
Issue using PXE to start a device from WDS
There may be issues using PXE to start a device from a WDS server configured to use Variable Window Extension.

See details >		OS Build 14393.2848

March 12, 2019
KB4489882		Resolved
KB4503267		June 11, 2019
10:00 AM PT
" @@ -96,27 +91,6 @@ sections: text: " - - - -
DetailsOriginating updateStatusHistory
Some applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of KB4493473 on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set to DENY.

Affected platforms:
  • Server: Windows Server 2016
Resolution: This issue was resolved in KB4507459.

Back to top		OS Build 14393.2941

April 25, 2019
KB4493473		Resolved
KB4507459		Resolved:
July 16, 2019
10:00 AM PT

Opened:
June 04, 2019
05:55 PM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499177. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509475.

Back to top		OS Build 14393.2999

May 23, 2019
KB4499177		Resolved
KB4509475		Resolved:
June 27, 2019
02:00 PM PT

Opened:
June 20, 2019
04:46 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503294.

Back to top		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved
KB4503294		Resolved:
June 18, 2019
02:00 PM PT

Opened:
June 12, 2019
11:11 AM PT
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503267.

Back to top		OS Build 14393.2999

May 23, 2019
KB4499177		Resolved
KB4503267		Resolved:
June 11, 2019
10:00 AM PT

Opened:
June 05, 2019
05:49 PM PT
- " - -- title: May 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4494440 and restarting.

Affected platforms:
  • Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2016
Resolution: This issue was resolved in KB4507460.

Back to top		OS Build 14393.2969

May 14, 2019
KB4494440		Resolved
KB4507460		Resolved:
July 09, 2019
10:00 AM PT

Opened:
May 21, 2019
08:50 AM PT
- " - -- title: March 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Issue using PXE to start a device from WDS
After installing KB4489882, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4503267.

Back to top		OS Build 14393.2848

March 12, 2019
KB4489882		Resolved
KB4503267		Resolved:
June 11, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
" diff --git a/windows/release-information/resolved-issues-windows-10-1709.yml b/windows/release-information/resolved-issues-windows-10-1709.yml index 35c7f5856c..92e479f7e8 100644 --- a/windows/release-information/resolved-issues-windows-10-1709.yml +++ b/windows/release-information/resolved-issues-windows-10-1709.yml @@ -38,9 +38,6 @@ sections:
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved
KB4512494		August 16, 2019
02:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >		OS Build 16299.1331

August 13, 2019
KB4512516		Resolved
KB4512494		August 16, 2019
02:00 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved External
August 09, 2019
07:03 PM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >		OS Build 16299.1182

May 28, 2019
KB4499147		Resolved
KB4509477		June 26, 2019
04:00 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved
KB4503281		June 18, 2019
02:00 PM PT
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

See details >		OS Build 16299.1182

May 28, 2019
KB4499147		Resolved
KB4503284		June 11, 2019
10:00 AM PT
" @@ -81,14 +78,3 @@ sections:
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503284 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512494.

Back to top		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved
KB4512494		Resolved:
August 16, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT
" - -- title: June 2019 -- items: - - type: markdown - text: " - - - - -
DetailsOriginating updateStatusHistory
Difficulty connecting to some iSCSI-based SANs
Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499147. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509477.

Back to top		OS Build 16299.1182

May 28, 2019
KB4499147		Resolved
KB4509477		Resolved:
June 26, 2019
04:00 PM PT

Opened:
June 20, 2019
04:46 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503281.

Back to top		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved
KB4503281		Resolved:
June 18, 2019
02:00 PM PT

Opened:
June 12, 2019
11:11 AM PT
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503284.

Back to top		OS Build 16299.1182

May 28, 2019
KB4499147		Resolved
KB4503284		Resolved:
June 11, 2019
10:00 AM PT

Opened:
June 05, 2019
05:49 PM PT
- " diff --git a/windows/release-information/resolved-issues-windows-10-1803.yml b/windows/release-information/resolved-issues-windows-10-1803.yml index 9aadd14d5a..378576d142 100644 --- a/windows/release-information/resolved-issues-windows-10-1803.yml +++ b/windows/release-information/resolved-issues-windows-10-1803.yml @@ -41,9 +41,6 @@ sections:
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >OS Build 17134.829

June 11, 2019
KB4503286Resolved
KB4512509August 19, 2019
02:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >OS Build 17134.950

August 13, 2019
KB4512501Resolved
KB4512509August 19, 2019
02:00 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >OS Build 17134.829

June 11, 2019
KB4503286Resolved External
August 09, 2019
07:03 PM PT -
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >OS Build 17134.799

May 21, 2019
KB4499183Resolved
KB4509478June 26, 2019
04:00 PM PT -
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >OS Build 17134.829

June 11, 2019
KB4503286Resolved
KB4503288June 18, 2019
02:00 PM PT -
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

See details >OS Build 17134.799

May 21, 2019
KB4499183Resolved
KB4503286June 11, 2019
10:00 AM PT " @@ -93,8 +90,5 @@ sections: text: " - - -
DetailsOriginating updateStatusHistory
Startup to a black screen after installing updates
We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.


Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803
  • Server: Windows Server 2019
Resolution: This issue was resolved in KB4519978.

Back to top		OS Build 17134.829

June 11, 2019
KB4503286		Resolved
KB4519978		Resolved:
October 15, 2019
10:00 AM PT

Opened:
June 14, 2019
04:41 PM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499183. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509478.

Back to top		OS Build 17134.799

May 21, 2019
KB4499183		Resolved
KB4509478		Resolved:
June 26, 2019
04:00 PM PT

Opened:
June 20, 2019
04:46 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503288.

Back to top		OS Build 17134.829

June 11, 2019
KB4503286		Resolved
KB4503288		Resolved:
June 18, 2019
02:00 PM PT

Opened:
June 12, 2019
11:11 AM PT
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503286.

Back to top		OS Build 17134.799

May 21, 2019
KB4499183		Resolved
KB4503286		Resolved:
June 11, 2019
10:00 AM PT

Opened:
June 05, 2019
05:49 PM PT
" diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml index f6351c2c0b..82cba46203 100644 --- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml @@ -42,12 +42,6 @@ sections:
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >OS Build 17763.557

June 11, 2019
KB4503327Resolved
KB4512534August 17, 2019
02:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >OS Build 17763.678

August 13, 2019
KB4511553Resolved
KB4512534August 17, 2019
02:00 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >OS Build 17763.557

June 11, 2019
KB4503327Resolved External
August 09, 2019
07:03 PM PT -
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >OS Build 17763.529

May 21, 2019
KB4497934Resolved
KB4509479June 26, 2019
04:00 PM PT -
Devices with Realtek Bluetooth radios drivers may not pair or connect as expected
Devices with some Realtek Bluetooth radios drivers may have issues pairing or connecting to devices.

See details >OS Build 17763.503

May 14, 2019
KB4494441Resolved
KB4501371June 18, 2019
02:00 PM PT -
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >OS Build 17763.557

June 11, 2019
KB4503327Resolved
KB4501371June 18, 2019
02:00 PM PT -
Printing from Microsoft Edge or other UWP apps may result in the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) apps, you may receive an error.

See details >OS Build 17763.379

March 12, 2019
KB4489899Resolved
KB4501371June 18, 2019
02:00 PM PT -
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

See details >OS Build 17763.529

May 21, 2019
KB4497934Resolved
KB4503327June 11, 2019
10:00 AM PT -
Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may terminate the connection.

See details >OS Build 17763.379

March 12, 2019
KB4489899Resolved
KB4503327June 11, 2019
10:00 AM PT " @@ -106,27 +100,5 @@ sections: text: " - - - - -
DetailsOriginating updateStatusHistory
Startup to a black screen after installing updates
We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.


Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803
  • Server: Windows Server 2019
Resolution: This issue was resolved in KB4520062.

Back to top		OS Build 17763.557

June 11, 2019
KB4503327		Resolved
KB4520062		Resolved:
October 15, 2019
10:00 AM PT

Opened:
June 14, 2019
04:41 PM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4497934. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509479.

Back to top		OS Build 17763.529

May 21, 2019
KB4497934		Resolved
KB4509479		Resolved:
June 26, 2019
04:00 PM PT

Opened:
June 20, 2019
04:46 PM PT
Devices with Realtek Bluetooth radios drivers may not pair or connect as expected
In some circumstances, devices with Realtek Bluetooth radios may have issues pairing or connecting to Bluetooth devices due to a driver issue.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server 2019
Resolution: This issue was resolved in KB4501371.

Back to top		OS Build 17763.503

May 14, 2019
KB4494441		Resolved
KB4501371		Resolved:
June 18, 2019
02:00 PM PT

Opened:
June 14, 2019
05:45 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4501371.

Back to top		OS Build 17763.557

June 11, 2019
KB4503327		Resolved
KB4501371		Resolved:
June 18, 2019
02:00 PM PT

Opened:
June 12, 2019
11:11 AM PT
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503327.

Back to top		OS Build 17763.529

May 21, 2019
KB4497934		Resolved
KB4503327		Resolved:
June 11, 2019
10:00 AM PT

Opened:
June 05, 2019
05:49 PM PT
- " - -- title: May 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Printing from Microsoft Edge or other UWP apps may result in the error 0x80070007
When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications you may receive the error, \"Your printer has experienced an unexpected configuration problem. 0x80070007e.\"
 
Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4501371

Back to top		OS Build 17763.379

March 12, 2019
KB4489899		Resolved
KB4501371		Resolved:
June 18, 2019
02:00 PM PT

Opened:
May 02, 2019
04:47 PM PT
- " - -- title: March 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Issue using PXE to start a device from WDS
After installing KB4489899, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4503327.

Back to top		OS Build 17763.379

March 12, 2019
KB4489899		Resolved
KB4503327		Resolved:
June 11, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
" diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml index dffdd5ba5f..f6f7b30864 100644 --- a/windows/release-information/resolved-issues-windows-10-1903.yml +++ b/windows/release-information/resolved-issues-windows-10-1903.yml @@ -38,7 +38,6 @@ sections:
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive error code 0x80073701.

See details >OS Build 18362.145

May 29, 2019
KB4497935Resolved
November 12, 2019
08:11 AM PT
Intel Audio displays an intcdaud.sys notification
Devices with a range of Intel Display Audio device drivers may experience battery drain.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved External
November 12, 2019
08:04 AM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4505903July 26, 2019
02:00 PM PT -
Cannot launch Camera app
Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4501375June 27, 2019
10:00 AM PT
Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
Microsoft has identified compatibility issues with some versions of Qualcomm Bluetooth radio drivers.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4517389October 08, 2019
10:00 AM PT
Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.

See details >N/A

Resolved
KB4522355October 24, 2019
10:00 AM PT
dGPU occasionally disappear from device manager on Surface Book 2
Some apps or games may close or fail to open on Surface Book 2 devices with Nvidia dGPU.

See details >OS Build 18362.145

May 29, 2019
KB4497935Resolved
October 18, 2019
04:33 PM PT @@ -57,10 +56,6 @@ sections:
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >OS Build 18362.175

June 11, 2019
KB4503293Resolved External
August 09, 2019
07:03 PM PT
Display brightness may not respond to adjustments
Devices configured with certain Intel display drivers may experience a driver compatibility issue.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4505903July 26, 2019
02:00 PM PT
RASMAN service may stop working and result in the error “0xc0000005”
The RASMAN service may stop working with VPN profiles configured as an Always On VPN connection.

See details >OS Build 18362.145

May 29, 2019
KB4497935Resolved
KB4505903July 26, 2019
02:00 PM PT -
Loss of functionality in Dynabook Smartphone Link app
Users who update to Windows 10, version 1903 may experience a loss of functionality with Dynabook Smartphone Link.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
July 11, 2019
01:54 PM PT -
Error attempting to update with external USB device or memory card attached
PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
July 11, 2019
01:53 PM PT -
Audio not working with Dolby Atmos headphones and home theater
Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
July 11, 2019
01:53 PM PT -
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >OS Build 18362.175

June 11, 2019
KB4503293Resolved
KB4501375June 27, 2019
10:00 AM PT " @@ -127,7 +122,6 @@ sections: text: " -
DetailsOriginating updateStatusHistory
RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0. You may also receive an error in the Application section of Windows Logs in Event Viewer with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.

This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.

Affected platforms
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
KB4505903		Resolved:
July 26, 2019
02:00 PM PT

Opened:
June 28, 2019
05:01 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4501375.

Back to top		OS Build 18362.175

June 11, 2019
KB4503293		Resolved
KB4501375		Resolved:
June 27, 2019
10:00 AM PT

Opened:
June 12, 2019
11:11 AM PT
" @@ -140,11 +134,7 @@ sections:
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved External
Last updated:
November 15, 2019
05:59 PM PT

Opened:
May 21, 2019
07:29 AM PT
Intel Audio displays an intcdaud.sys notification
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
  
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.

Affected platforms:
Resolution: This issue was resolved with updated drivers from your device manufacturer (OEM) or Intel. The safeguard hold has been removed.

Note If you are still experiencing the issue described, please contact your device manufacturer (OEM).

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved External
Last updated:
November 12, 2019
08:04 AM PT

Opened:
May 21, 2019
07:22 AM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
Affected platforms:
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4505903Resolved:
July 26, 2019
02:00 PM PT

Opened:
May 21, 2019
07:28 AM PT -
Cannot launch Camera app
Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating:
        \"Close other apps, error code: 0XA00F4243.”

To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
Resolution: This issue was resolved in KB4501375 and the safeguard hold has been removed.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4501375Resolved:
June 27, 2019
10:00 AM PT

Opened:
May 21, 2019
07:20 AM PT
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.

Affected platforms:
Resolution: This issue was resolved in KB4512941.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4512941Resolved:
August 30, 2019
10:00 AM PT

Opened:
May 24, 2019
04:20 PM PT
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.

To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4505903Resolved:
July 26, 2019
02:00 PM PT

Opened:
May 21, 2019
07:56 AM PT -
Loss of functionality in Dynabook Smartphone Link app
Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.

To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
Resolved:
July 11, 2019
01:54 PM PT

Opened:
May 24, 2019
03:10 PM PT -
Error attempting to update with external USB device or memory card attached
If you have an external USB device or SD memory card attached when installing Windows 10, version 1903, you may get an error message stating \"This PC can't be upgraded to Windows 10.\" This is caused by inappropriate drive reassignment during installation.

Sample scenario: An update to Windows 10, version 1903 is attempted on a computer that has a thumb drive inserted into its USB port. Before the update, the thumb drive is mounted in the system as drive G based on the existing drive configuration. After the feature update is installed; however, the device is reassigned a different drive letter (e.g., drive H).

Note The drive reassignment is not limited to removable drives. Internal hard drives may also be affected.

To safeguard your update experience, we have applied a hold on devices with an external USB device or SD memory card attached from being offered Windows 10, version 1903 until this issue is resolved.

Affected platforms:
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
Resolved:
July 11, 2019
01:53 PM PT

Opened:
May 21, 2019
07:38 AM PT -
Audio not working with Dolby Atmos headphones and home theater
After updating to Windows 10, version 1903, you may experience loss of audio with Dolby Atmos for home theater (free extension) or Dolby Atmos for headphones (paid extension) acquired through the Microsoft Store due to a licensing configuration error.
 
This occurs due to an issue with a Microsoft Store licensing component, where license holders are not able to connect to the Dolby Access app and enable Dolby Atmos extensions.
 
To safeguard your update experience, we have applied protective hold on devices from being offered Windows 10, version 1903 until this issue is resolved. This configuration error will not result in loss of access for the acquired license once the problem is resolved.

Affected platforms:
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
Resolved:
July 11, 2019
01:53 PM PT

Opened:
May 21, 2019
07:16 AM PT " diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml index 3ba826b5ad..7401114369 100644 --- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml @@ -39,8 +39,6 @@ sections:
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >August 13, 2019
KB4512506Resolved
KB4517297August 16, 2019
02:00 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices running certain McAfee Endpoint security applications may be slow or unresponsive at startup.

See details >April 09, 2019
KB4493472Resolved External
August 13, 2019
06:59 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >June 11, 2019
KB4503292Resolved External
August 09, 2019
07:03 PM PT -
IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

See details >May 14, 2019
KB4499164Resolved
KB4503277June 20, 2019
02:00 PM PT -
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >June 11, 2019
KB4503292Resolved
KB4503277June 20, 2019
02:00 PM PT " @@ -81,16 +79,6 @@ sections: " -- title: June 2019 -- items: - - type: markdown - text: " - - - -
DetailsOriginating updateStatusHistory
IE11 may stop working when loading or interacting with Power BI reports
Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.


Affected platforms:
  • Client: Windows 7 SP1; Windows 8.1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2

Resolution: This issue was resolved in Preview Rollup KB4503277. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.

Back to top		May 14, 2019
KB4499164		Resolved
KB4503277		Resolved:
June 20, 2019
02:00 PM PT

Opened:
June 07, 2019
02:57 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503277. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.

Back to top		June 11, 2019
KB4503292		Resolved
KB4503277		Resolved:
June 20, 2019
02:00 PM PT

Opened:
June 12, 2019
11:11 AM PT
- " - - title: April 2019 - items: - type: markdown diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml index be34bac3ce..d7ed2c1633 100644 --- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml @@ -39,9 +39,6 @@ sections:
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >August 13, 2019
KB4512488Resolved
KB4517298August 16, 2019
02:00 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices running certain McAfee Endpoint security applications may be slow or unresponsive at startup.

See details >April 09, 2019
KB4493446Resolved External
August 13, 2019
06:59 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >June 11, 2019
KB4503276Resolved External
August 09, 2019
07:03 PM PT -
IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

See details >May 14, 2019
KB4499151Resolved
KB4503283June 20, 2019
02:00 PM PT -
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >June 11, 2019
KB4503276Resolved
KB4503283June 20, 2019
02:00 PM PT -
Issue using PXE to start a device from WDS
There may be issues using PXE to start a device from a WDS server configured to use Variable Window Extension.

See details >March 12, 2019
KB4489881Resolved
KB4503276June 11, 2019
10:00 AM PT " @@ -90,16 +87,6 @@ sections: " -- title: June 2019 -- items: - - type: markdown - text: " - - - -
DetailsOriginating updateStatusHistory
IE11 may stop working when loading or interacting with Power BI reports
Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.


Affected platforms:
  • Client: Windows 7 SP1; Windows 8.1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2

Resolution: This issue was resolved in Preview Rollup KB4503283. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.

Back to top		May 14, 2019
KB4499151		Resolved
KB4503283		Resolved:
June 20, 2019
02:00 PM PT

Opened:
June 07, 2019
02:57 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503283. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.

Back to top		June 11, 2019
KB4503276		Resolved
KB4503283		Resolved:
June 20, 2019
02:00 PM PT

Opened:
June 12, 2019
11:11 AM PT
- " - - title: April 2019 - items: - type: markdown @@ -108,12 +95,3 @@ sections:
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:  

Back to topApril 09, 2019
KB4493446Resolved External
Last updated:
August 13, 2019
06:59 PM PT

Opened:
April 09, 2019
10:00 AM PT " - -- title: March 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Issue using PXE to start a device from WDS
After installing KB4489881, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012 
Resolution: This issue was resolved in KB4503276.

Back to top		March 12, 2019
KB4489881		Resolved
KB4503276		Resolved:
June 11, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
- " diff --git a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml index c0a8e854fa..18fc3ff189 100644 --- a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml +++ b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml @@ -37,7 +37,6 @@ sections:
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >June 11, 2019
KB4503273Resolved
KB4512499August 17, 2019
02:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >August 13, 2019
KB4512476Resolved
KB4517301August 16, 2019
02:00 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >June 11, 2019
KB4503273Resolved External
August 09, 2019
07:03 PM PT -
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >June 11, 2019
KB4503273Resolved
KB4503271June 20, 2019
02:00 PM PT " @@ -76,12 +75,3 @@ sections:
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503273 on a WDS server.

Affected platforms:
Resolution: This issue was resolved in KB4512499.

Back to topJune 11, 2019
KB4503273Resolved
KB4512499Resolved:
August 17, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT " - -- title: June 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503271. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.

Back to top		June 11, 2019
KB4503273		Resolved
KB4503271		Resolved:
June 20, 2019
02:00 PM PT

Opened:
June 12, 2019
11:11 AM PT
- " diff --git a/windows/release-information/resolved-issues-windows-server-2012.yml b/windows/release-information/resolved-issues-windows-server-2012.yml index 268770f5d8..c2bef06cf8 100644 --- a/windows/release-information/resolved-issues-windows-server-2012.yml +++ b/windows/release-information/resolved-issues-windows-server-2012.yml @@ -37,10 +37,6 @@ sections:
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >June 11, 2019
KB4503285Resolved
KB4512512August 17, 2019
02:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >August 13, 2019
KB4512518Resolved
KB4517302August 16, 2019
02:00 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >June 11, 2019
KB4503285Resolved External
August 09, 2019
07:03 PM PT -
Some devices and generation 2 Hyper-V VMs may have issues installing updates
Some devices and generation 2 Hyper-V VMs may have issues installing some updates when Secure Boot is enabled.

See details >June 11, 2019
KB4503285Resolved
KB4503295June 21, 2019
02:00 PM PT -
IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

See details >May 14, 2019
KB4499171Resolved
KB4503295June 21, 2019
02:00 PM PT -
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

See details >June 11, 2019
KB4503285Resolved
KB4503295June 20, 2019
02:00 PM PT -
Issue using PXE to start a device from WDS
There may be issues using PXE to start a device from a WDS server configured to use Variable Window Extension.

See details >March 12, 2019
KB4489891Resolved
KB4503285June 11, 2019
10:00 AM PT " @@ -87,23 +83,3 @@ sections:
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503285 on a WDS server.

Affected platforms:
Resolution: This issue was resolved in KB4512512.

Back to topJune 11, 2019
KB4503285Resolved
KB4512512Resolved:
August 17, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT " - -- title: June 2019 -- items: - - type: markdown - text: " - - - - -
DetailsOriginating updateStatusHistory
Some devices and generation 2 Hyper-V VMs may have issues installing updates
Some devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing KB4503285 or later updates when Secure Boot is enabled.

Affected platforms:
  • Server: Windows Server 2012
Resolution: This issue was resolved in KB4503295. If your device is using Security Only updates, this issue was resolved in KB4508776.

Back to top		June 11, 2019
KB4503285		Resolved
KB4503295		Resolved:
June 21, 2019
02:00 PM PT

Opened:
June 19, 2019
04:57 PM PT
IE11 may stop working when loading or interacting with Power BI reports
Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.


Affected platforms:
  • Client: Windows 7 SP1; Windows 8.1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2

Resolution: This issue was resolved in Preview Rollup KB4503295. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.

Back to top		May 14, 2019
KB4499171		Resolved
KB4503295		Resolved:
June 21, 2019
02:00 PM PT

Opened:
June 07, 2019
02:57 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503295. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.

Back to top		June 11, 2019
KB4503285		Resolved
KB4503295		Resolved:
June 20, 2019
02:00 PM PT

Opened:
June 12, 2019
11:11 AM PT
- " - -- title: March 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Issue using PXE to start a device from WDS
After installing KB4489891, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012 
Resolution: This issue was resolved in KB4503285.

Back to top		March 12, 2019
KB4489891		Resolved
KB4503285		Resolved:
June 11, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
- " diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index 88e42ce4a7..b45f2a51e5 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -64,7 +64,6 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- @@ -93,7 +92,6 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
Microsoft Defender Advanced Threat Protection might stop running
The Microsoft Defender ATP service might stop running and might fail to send reporting data.

See details >		OS Build 17763.832

October 15, 2019
KB4520062		Resolved
KB4523205		November 12, 2019
10:00 AM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 17763.737

September 10, 2019
KB4512578		Mitigated
November 12, 2019
08:05 AM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 17763.805

October 08, 2019
KB4519338		Mitigated External
November 05, 2019
03:36 PM PT
Devices with some Asian language packs installed may receive an error
Devices with Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
May 03, 2019
10:59 AM PT
-
DetailsOriginating updateStatusHistory
Microsoft Defender Advanced Threat Protection might stop running
After installing the optional non-security update (KB4520062), the Microsoft Defender Advanced Threat Protection (ATP) service might stop running and might fail to send reporting data. You might also receive a 0xc0000409 error in Event Viewer on MsSense.exe.

Note Microsoft Windows Defender Antivirus is not affected by this issue.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4523205.

Back to top		OS Build 17763.832

October 15, 2019
KB4520062		Resolved
KB4523205		Resolved:
November 12, 2019
10:00 AM PT

Opened:
October 17, 2019
05:14 PM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

Note This issue does not affect using a Microsoft Account during OOBE.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.737

September 10, 2019
KB4512578		Mitigated
Last updated:
November 12, 2019
08:05 AM PT

Opened:
October 29, 2019
05:15 PM PT
" diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml index e89546389a..695f9e9477 100644 --- a/windows/release-information/status-windows-10-1903.yml +++ b/windows/release-information/status-windows-10-1903.yml @@ -64,14 +64,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- - - - - -
SummaryOriginating updateStatusLast updated
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 18362.356

September 10, 2019
KB4515384		Resolved
KB4530684		December 10, 2019
10:00 AM PT
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.

See details >		N/A

Mitigated External
November 25, 2019
05:25 PM PT
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
November 22, 2019
04:10 PM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
November 15, 2019
05:59 PM PT
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive error code 0x80073701.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
November 12, 2019
08:11 AM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 18362.418

October 08, 2019
KB4517389		Mitigated External
November 05, 2019
03:36 PM PT
Intel Audio displays an intcdaud.sys notification
Devices with a range of Intel Display Audio device drivers may experience battery drain.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
November 12, 2019
08:04 AM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4505903		July 26, 2019
02:00 PM PT
" @@ -91,33 +85,3 @@ sections:
TLS connections might fail or timeout
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
Affected platforms:

Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

Back to topOS Build 18362.418

October 08, 2019
KB4517389Mitigated External
Last updated:
November 05, 2019
03:36 PM PT

Opened:
November 05, 2019
03:36 PM PT " - -- title: October 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

Note This issue does not affect using a Microsoft Account during OOBE.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue was resolved in KB4530684.

Back to top		OS Build 18362.356

September 10, 2019
KB4515384		Resolved
KB4530684		Resolved:
December 10, 2019
10:00 AM PT

Opened:
October 29, 2019
05:15 PM PT
- " - -- title: August 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive the error message, \"Updates Failed, There were problems installing some updates, but we'll try again later\" or \"Error 0x80073701\" on the Windows Update dialog or within Update history.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Resolution: This issue has been resolved for most users. If you are still having issues, please see KB4528159.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
Resolved:
November 12, 2019
08:11 AM PT

Opened:
August 16, 2019
01:41 PM PT
- " - -- title: May 2019 -- items: - - type: markdown - text: " - - - - - -
DetailsOriginating updateStatusHistory
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
Resolution: This issue was resolved with an updated Qualcomm Wifi driver and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
Last updated:
November 22, 2019
04:10 PM PT

Opened:
May 21, 2019
07:13 AM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
  • Server: Windows 10, version 1909; Windows Server, version 1903
Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
Last updated:
November 15, 2019
05:59 PM PT

Opened:
May 21, 2019
07:29 AM PT
Intel Audio displays an intcdaud.sys notification
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
  
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809
Resolution: This issue was resolved with updated drivers from your device manufacturer (OEM) or Intel. The safeguard hold has been removed.

Note If you are still experiencing the issue described, please contact your device manufacturer (OEM).

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved External
Last updated:
November 12, 2019
08:04 AM PT

Opened:
May 21, 2019
07:22 AM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
  • Connecting to (or disconnecting from) an external monitor, dock, or projector
  • Rotating the screen
  • Updating display drivers or making other display mode changes
  • Closing full screen applications
  • Applying custom color profiles
  • Running applications that rely on custom gamma ramps
Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4505903		Resolved:
July 26, 2019
02:00 PM PT

Opened:
May 21, 2019
07:28 AM PT
- " diff --git a/windows/release-information/status-windows-10-1909.yml b/windows/release-information/status-windows-10-1909.yml index a8b1f36597..ac72f26612 100644 --- a/windows/release-information/status-windows-10-1909.yml +++ b/windows/release-information/status-windows-10-1909.yml @@ -64,10 +64,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- - -
SummaryOriginating updateStatusLast updated
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 18363.476

November 12, 2019
KB4524570		Resolved
KB4530684		December 10, 2019
10:00 AM PT
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.

See details >		N/A

Mitigated External
November 25, 2019
05:25 PM PT
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

See details >		OS Build 18363.476

November 12, 2019
KB4524570		Resolved External
November 22, 2019
04:10 PM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.

See details >		OS Build 18363.476

November 12, 2019
KB4524570		Resolved External
November 15, 2019
05:59 PM PT
" @@ -86,22 +83,3 @@ sections:
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some older versions of Avast Antivirus and AVG Antivirus that might still be installed by a small number of users. Any application from Avast or AVG that contains Antivirus version 19.5.4444.567 or earlier is affected.

To safeguard your upgrade experience, we have applied a hold on devices with affected Avast and AVG Antivirus from being offered or installing Windows 10, version 1903 or Windows 10, version 1909, until the application is updated.

Affected platforms:
Workaround: Before updating to Windows 10, version 1903 or Windows 10, version 1909, you will need to download and install an updated version of your Avast or AVG application. Guidance for Avast and AVG customers can be found in the following support articles:
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new version of your Avast or AVG application has been installed and the Windows 10, version 1903 or Windows 10, version 1909 feature update has been automatically offered to you.

Back to topN/A

Mitigated External
Last updated:
November 25, 2019
05:25 PM PT

Opened:
November 22, 2019
04:10 PM PT " - -- title: October 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

Note This issue does not affect using a Microsoft Account during OOBE.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue was resolved in KB4530684.

Back to top		OS Build 18363.476

November 12, 2019
KB4524570		Resolved
KB4530684		Resolved:
December 10, 2019
10:00 AM PT

Opened:
October 29, 2019
05:15 PM PT
- " - -- title: May 2019 -- items: - - type: markdown - text: " - - - -
DetailsOriginating updateStatusHistory
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
Resolution: This issue was resolved with an updated Qualcomm Wifi driver and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to top		OS Build 18363.476

November 12, 2019
KB4524570		Resolved External
Last updated:
November 22, 2019
04:10 PM PT

Opened:
May 21, 2019
07:13 AM PT
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903
  • Server: Windows 10, version 1909; Windows Server, version 1903
Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

Back to top		OS Build 18363.476

November 12, 2019
KB4524570		Resolved External
Last updated:
November 15, 2019
05:59 PM PT

Opened:
May 21, 2019
07:29 AM PT
- " diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml index d20fb293cd..3db7d9a3ea 100644 --- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml @@ -60,7 +60,6 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- @@ -79,7 +78,6 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print, you may receive an error or the application may stop responding or close.

See details >		August 13, 2019
KB4512489		Resolved
KB4525250		November 12, 2019
10:00 AM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		October 08, 2019
KB4520005		Mitigated External
November 05, 2019
03:36 PM PT
Japanese IME doesn't show the new Japanese Era name as a text input option
With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.

See details >		April 25, 2019
KB4493443		Mitigated
May 15, 2019
05:53 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		January 08, 2019
KB4480963		Mitigated
April 25, 2019
02:00 PM PT
-
DetailsOriginating updateStatusHistory
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print from a 32-bit app on a 64-bit operating system (OS), you may receive an error, or the application may stop responding or close. Note This issue only affects the 64-bit Security Only updates listed and does not affect any Monthly Rollup.

Affected platforms:
  • Client: Windows 8.1
  • Server: Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4525250. However, the issue occurs when you install only KB4512489 (released on August 13, 2019) without installing KB4507457, the previous Security Only update (released July 9, 2019). Reminder When using the Security Only updates, you must install the latest and all previous Security Only updates to ensure that the device contains all resolved security vulnerabilities.

Back to top		August 13, 2019
KB4512489		Resolved
KB4525250		Resolved:
November 12, 2019
10:00 AM PT

Opened:
November 27, 2019
04:02 PM PT
TLS connections might fail or timeout
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
  • \"The request was aborted: Could not create SSL/TLS secure Channel\"
  • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

Back to top		October 08, 2019
KB4520005		Mitigated External
Last updated:
November 05, 2019
03:36 PM PT

Opened:
November 05, 2019
03:36 PM PT
" diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml index 734e55f864..ae33c73b72 100644 --- a/windows/release-information/status-windows-server-2012.yml +++ b/windows/release-information/status-windows-server-2012.yml @@ -60,7 +60,6 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- @@ -79,7 +78,6 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print, you may receive an error or the application may stop responding or close.

See details >		August 13, 2019
KB4512482		Resolved
KB4525253		November 12, 2019
10:00 AM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		October 08, 2019
KB4520007		Mitigated External
November 05, 2019
03:36 PM PT
Japanese IME doesn't show the new Japanese Era name as a text input option
With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.

See details >		April 25, 2019
KB4493462		Mitigated
May 15, 2019
05:53 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		January 08, 2019
KB4480975		Mitigated
April 25, 2019
02:00 PM PT
-
DetailsOriginating updateStatusHistory
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print from a 32-bit app on a 64-bit operating system (OS), you may receive an error, or the application may stop responding or close. Note This issue only affects the 64-bit Security Only updates listed and does not affect any Monthly Rollup.

Affected platforms:
  • Client: Windows 8.1
  • Server: Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4525253. However, the issue occurs when you install only KB4512482 (released on August 13, 2019) without installing KB4507447, the previous Security Only update (released July 9, 2019). Reminder When using the Security Only updates, you must install the latest and all previous Security Only updates to ensure that the device contains all resolved security vulnerabilities.

Back to top		August 13, 2019
KB4512482		Resolved
KB4525253		Resolved:
November 12, 2019
10:00 AM PT

Opened:
November 27, 2019
04:02 PM PT
TLS connections might fail or timeout
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
  • \"The request was aborted: Could not create SSL/TLS secure Channel\"
  • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

Back to top		October 08, 2019
KB4520007		Mitigated External
Last updated:
November 05, 2019
03:36 PM PT

Opened:
November 05, 2019
03:36 PM PT
" diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index b3441dc375..e8c99b7485 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -50,6 +50,8 @@ sections: text: " + + diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index f8a3185eb0..c8bdc813a2 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -289,6 +289,16 @@ Capability Security Identifiers (SIDs) are used to uniquely and immutably identi All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'. Any Capability SID added to Windows by first or third-party applications will be added to this location. +## Examples of registry keys taken from Windows 10, version 1909, 64-bit Enterprise edition +You may see the following registry keys under AllCachedCapabilities: + +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows + All Capability SIDs are prefixed by S-1-15-3 ## See also diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 610edeb54d..69155363d3 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -86,6 +86,8 @@ You can do this by using either the Control Panel or the Deployment Image Servic ``` dism /image: /Enable-Feature /FeatureName:IsolatedUserMode ``` +> [!NOTE] +> In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required. > [!NOTE] > You can also add these features to an online image by using either DISM or Configuration Manager. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 72257804e5..d1efe88759 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -68,3 +68,5 @@ Following are the various deployment guides and models included in this topic: Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. +> [!NOTE] +> You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 9874fcd53a..54e4021adc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -58,6 +58,9 @@ To resolve this issue, the CRL distribution point must be a location that is acc If your CRL distribution point does not list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points. +> [!NOTE] +> If your CA has published both the Base and the Delta CRL, please make sure you have included publishing the Delta CRL in the HTTP path. Include web server to fetch the Delta CRL by allowing double escaping in the (IIS) web server. + ### Windows Server 2016 Domain Controllers If you are interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers. Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key. What do we mean by adequate? We are glad you asked. Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. @@ -335,6 +338,3 @@ Sign-in a workstation with access equivalent to a _domain user_. If you plan on using certificates for on-premises single-sign on, perform the additional steps in [Using Certificates for On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). - - - diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 8ed6db6fb4..f7a5eed854 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -118,6 +118,11 @@ Hybrid certificate trust deployments need the device write back feature. Authen > [!NOTE] > Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory, and therefore the device writeback is used to update the msDS-KeyCredentialLink on the computer object. +## Provisioning + +You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. + + ### Section Checklist ### > [!div class="checklist"] > * Azure Active Directory Device writeback diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index e2d7d4fc9c..16c17aa3f9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -31,7 +31,7 @@ In hybrid deployments, users register the public portion of their Windows Hello The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. > [!IMPORTANT] -> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. +> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. In this case, you should use the pre-created group KeyAdmins in step 3 of the "Group Memberships for the Azure AD Connect Service Account" section of this article. ### Configure Permissions for Key Synchronization @@ -56,9 +56,6 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 1. Open **Active Directory Users and Computers**. 2. Click the **Users** container in the navigation pane. - >[!IMPORTANT] - > If you already have a Windows Server 2016 domain controller in your domain, use the Keyadmins group in the next step, otherwise use the KeyCredential admins group you previously created. - 3. Right-click either the **KeyAdmins** or **KeyCredential Admins** in the details pane and click **Properties**. 4. Click the **Members** tab and click **Add** 5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account. Click **OK**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index d2694a48af..d2b1de480f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -40,7 +40,7 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription. -You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 domain controllers at each site where users authenticate using Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. +You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 or later domain controllers at each site where users authenticate using Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs. @@ -125,7 +125,11 @@ Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Auth ## Device Registration Organizations wanting to deploy hybrid key trust need their domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory. - + +## Provisioning + +You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. + ### Section Checklist diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 5f6fb9480c..57a2493e4c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -196,7 +196,7 @@ Alternatively, you can forcefully trigger automatic certificate enrollment using Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions. -## Follow the Windows Hello for Business on premises certificate trust deployment guide +## Follow the Windows Hello for Business on premises key trust deployment guide 1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) 2. Validate and Configure Public Key Infrastructure (*You are here*) 3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md index 2e4f0f0749..288347b3aa 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -1,9 +1,9 @@ --- -title: Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10) +title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager (Windows 10) description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data. ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529 ms.reviewer: -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager, MEMCM, Microsoft Endpoint Configuration Manager ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -15,26 +15,29 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/13/2019 +ms.date: 01/09/2020 --- -# Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager +# Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager **Applies to:** - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later -- System Center Configuration Manager +- Microsoft Endpoint Configuration Manager -System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. +Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. ## Add a WIP policy -After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. +After you’ve installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. + +>[!TIP] +> Review the [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) article before creating a new configuration item to avoid common issues. **To create a configuration item for WIP** -1. Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. +1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. - ![System Center Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png) + ![Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png) 2. Click the **Create Configuration Item** button.

The **Create Configuration Item Wizard** starts. @@ -43,7 +46,7 @@ The **Create Configuration Item Wizard** starts. 3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. -4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**. +4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**. - **Settings for devices managed with the Configuration Manager client:** Windows 10 @@ -62,7 +65,7 @@ The **Create Configuration Item Wizard** starts. The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. ## Add app rules to your policy -During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. +During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. @@ -295,9 +298,9 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* ``` -12. After you’ve created your XML file, you need to import it by using System Center Configuration Manager. +12. After you’ve created your XML file, you need to import it by using Configuration Manager. -**To import your Applocker policy file app rule using System Center Configuration Manager** +**To import your Applocker policy file app rule using Configuration Manager** 1. From the **App rules** area, click **Add**. The **Add app rule** box appears. @@ -506,3 +509,5 @@ After you’ve created your WIP policy, you'll need to deploy it to your organiz - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) + +- [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index fbeab9d3aa..3e55222065 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -121,6 +121,7 @@ ##### [DeviceInfo](microsoft-defender-atp/advanced-hunting-deviceinfo-table.md) ##### [DeviceNetworkInfo](microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md) ##### [DeviceEvents](microsoft-defender-atp/advanced-hunting-deviceevents-table.md) +##### [DeviceFileCertificateInfoBeta](microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md) ##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md) ##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md) ##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md) @@ -129,7 +130,7 @@ ##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md) ##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md) #### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md) -#### [Stream advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md) + #### [Custom detections]() ##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md) @@ -137,8 +138,6 @@ ### [Management and APIs]() #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md) -#### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md) -#### [Managed security service provider support](microsoft-defender-atp/mssp-support.md) ### [Integrations]() #### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md) @@ -362,15 +361,15 @@ ###### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md) #### [Microsoft Defender ATP API]() -##### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md) ##### [Get started with Microsoft Defender ATP APIs]() -###### [Introduction](microsoft-defender-atp/apis-intro.md) +###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md) +###### [Access the Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md) ###### [Hello World](microsoft-defender-atp/api-hello-world.md) ###### [Get access with application context](microsoft-defender-atp/exposed-apis-create-app-webapp.md) ###### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md) ###### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md) -##### [APIs]() +##### [Microsoft Defender ATP APIs Schema]() ###### [Supported Microsoft Defender ATP APIs](microsoft-defender-atp/exposed-apis-list.md) ###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md) @@ -408,7 +407,12 @@ ####### [Run antivirus scan](microsoft-defender-atp/run-av-scan.md) ####### [Offboard machine](microsoft-defender-atp/offboard-machine-api.md) ####### [Stop and quarantine file](microsoft-defender-atp/stop-and-quarantine-file.md) -####### [Initiate investigation (preview)](microsoft-defender-atp/initiate-autoir-investigation.md) + +###### [Automated Investigation]() +####### [Investigation methods and properties](microsoft-defender-atp/investigation.md) +####### [List Investigation](microsoft-defender-atp/get-investigation-collection.md) +####### [Get Investigation](microsoft-defender-atp/get-investigation-object.md) +####### [Start Investigation](microsoft-defender-atp/initiate-autoir-investigation.md) ###### [Indicators]() ####### [Indicators methods and properties](microsoft-defender-atp/ti-indicator.md) @@ -444,14 +448,14 @@ ###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md) ###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md) -#### [Windows updates (KB) info]() -##### [Get KbInfo collection](microsoft-defender-atp/get-kbinfo-collection.md) +#### [Raw data streaming API]() +##### [Raw data streaming (preview)](microsoft-defender-atp/raw-data-export.md) +##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md) +##### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md) + -#### [Common Vulnerabilities and Exposures (CVE) to KB map]() -##### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md) - - -#### [Pull detections to your SIEM tools]() +#### [SIEM integration]() +##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md) ##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md) ##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) ##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md) @@ -460,6 +464,7 @@ ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) ##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md) + #### [Reporting]() ##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md) ##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md) @@ -486,45 +491,55 @@ ###### [Using machine groups](microsoft-defender-atp/machine-groups.md) ###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md) -#### [Configure managed security service provider (MSSP) support](microsoft-defender-atp/configure-mssp-support.md) +#### [Configure managed security service provider (MSSP) integration](microsoft-defender-atp/configure-mssp-support.md) + +## [Partner integration scenarios]() +### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md) +### [Managed security service provider opportunity](microsoft-defender-atp/mssp-support.md) +### [Become a Microsoft Defender ATP partner](microsoft-defender-atp/get-started-partner-integration.md) + + +## [Configure Microsoft threat protection integration]() +### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md) +### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md) +### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md) + +## [Configure portal settings]() +### [Set up preferences](microsoft-defender-atp/preferences-setup.md) +### [General]() +#### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md) +#### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md) +#### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md) +#### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md) +#### [Configure advanced features](microsoft-defender-atp/advanced-features.md) + +### [Permissions]() +#### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md) +#### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md) +##### [Create and manage roles](microsoft-defender-atp/user-roles.md) +##### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md) +###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md) + +### [APIs]() +#### [Enable Threat intel (Deprecated)](microsoft-defender-atp/enable-custom-ti.md) +#### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) + +### [Rules]() +#### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md) +#### [Manage indicators](microsoft-defender-atp/manage-indicators.md) +#### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md) +#### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md) + +### [Machine management]() +#### [Onboarding machines](microsoft-defender-atp/onboard-configure.md) +#### [Offboarding machines](microsoft-defender-atp/offboard-machines.md) + +### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md) -### [Configure Microsoft threat protection integration]() -#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md) -#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md) -#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md) -### [Configure portal settings]() -#### [Set up preferences](microsoft-defender-atp/preferences-setup.md) -#### [General]() -##### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md) -##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md) -##### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md) -##### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md) -##### [Configure advanced features](microsoft-defender-atp/advanced-features.md) -#### [Permissions]() -##### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md) -##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md) -###### [Create and manage roles](microsoft-defender-atp/user-roles.md) -###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md) -####### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md) -#### [APIs]() -##### [Enable Threat intel (Deprecated)](microsoft-defender-atp/enable-custom-ti.md) -##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) - -#### [Rules]() -##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md) -##### [Manage indicators](microsoft-defender-atp/manage-indicators.md) -##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md) -##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md) - -#### [Machine management]() -##### [Onboarding machines](microsoft-defender-atp/onboard-configure.md) -##### [Offboarding machines](microsoft-defender-atp/offboard-machines.md) - -#### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md) ## [Troubleshoot Microsoft Defender ATP]() diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index 10876a5671..f97c972551 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -184,6 +184,7 @@ The most common values: | 2 | PA-ENC-TIMESTAMP | This is a normal type for standard password authentication. | | 11 | PA-ETYPE-INFO | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. | | 15 | PA-PK-AS-REP\_OLD | Used for Smart Card logon authentication. | +| 16 | PA-PK-AS-REQ | Request sent to KDC in Smart Card authentication scenarios.| | 17 | PA-PK-AS-REP | This type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen. | | 19 | PA-ETYPE-INFO2 | The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. | | 20 | PA-SVR-REFERRAL-INFO | Used in KDC Referrals tickets. | diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md index 06ffbee5b0..4e98d50f44 100644 --- a/windows/security/threat-protection/auditing/event-4912.md +++ b/windows/security/threat-protection/auditing/event-4912.md @@ -126,8 +126,9 @@ This event is always logged regardless of the "Audit Policy Change" sub-category - **Subcategory** \[Type = UnicodeString\]**:** the name of auditing subcategory which state was changed. Possible values: -| Audit Credential Validation | Audit Process Termination | Audit Other Logon/Logoff Events | +| Value | Value | Value | |------------------------------------------|----------------------------------------------|--------------------------------------| +| Audit Credential Validation | Audit Process Termination | Audit Other Logon/Logoff Events | | Audit Kerberos Authentication Service | Audit RPC Events | Audit Special Logon | | Audit Kerberos Service Ticket Operations | Audit Detailed Directory Service Replication | Audit Application Generated | | Audit Other Logon/Logoff Events | Audit Directory Service Access | Audit Certification Services | @@ -145,7 +146,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category | Audit Policy Change | Audit Non-Sensitive Privilege Use | Audit System Integrity | | Audit Authentication Policy Change | Audit Sensitive Privilege Use | Audit PNP Activity | | Audit Authorization Policy Change | Audit Other Privilege Use Events | | -| Group Membership | Audit Network Policy Server | | +| Audit Group Membership | Audit Network Policy Server | | - **Subcategory GUID** \[Type = GUID\]**:** the unique GUID of changed subcategory. diff --git a/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg b/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg new file mode 100644 index 0000000000..e79d2b057d Binary files /dev/null and b/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md index d619963f4f..0e8ba41a5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md @@ -18,10 +18,19 @@ ms.topic: article # Add or Remove Machine Tags API -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Adds or remove tag to a specific [Machine](machine.md). + + +## Limitations +1. You can post on machines last seen in the past 30 days. +2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -This API adds or remove tag to a specific machine. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -77,34 +86,4 @@ Content-type: application/json "Action": "Add" } -``` -**Response** - -Here is an example of the response. - -``` -HTTP/1.1 200 Ok -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity", - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "osVersion": "10.0.0.0", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "agentVersion": "10.5830.18209.1001", - "osBuild": 18209, - "healthStatus": "Active", - "rbacGroupId": 140, - "rbacGroupName": "The-A-Team", - "riskScore": "Low", - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] -} - -``` - - To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body. \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md index 4d241c4a55..c7fd28fc75 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md @@ -26,7 +26,7 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The `AlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. +The `AlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts in Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md new file mode 100644 index 0000000000..b3a718ead0 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md @@ -0,0 +1,59 @@ +--- +title: DeviceFileCertificateInfoBeta table in the advanced hunting schema +description: Learn about file signing information in the DeviceFileCertificateInfoBeta table of the advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfoBeta +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 01/14/2020 +--- + +# DeviceFileCertificateInfoBeta + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +The `DeviceFileCertificateInfoBeta` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file signing certificates. This table uses data obtained from certificate verification activities regularly performed on files on endpoints. + +For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| `Timestamp` | datetime | Date and time when the event was recorded +| `DeviceId` | string | Unique identifier for the machine in the service +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine +| `SHA1` | string | SHA-1 of the file that the recorded action was applied to +| `IsSigned` | boolean | Indicates whether the file is signed +| `SignatureType` | string | Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file +| `Signer` | string | Information about the signer of the file +| `SignerHash` | string | Unique hash value identifying the signer +| `Issuer` | string | Information about the issuing certificate authority (CA) +| `IssuerHash` | string | Unique hash value identifying issuing certificate authority (CA) +| `CrlDistributionPointUrls` | string | URL of the network share that contains certificates and the certificate revocation list (CRL) +| `CertificateCreationTime` | datetime | Date and time the certificate was created +| `CertificateExpirationTime` | datetime | Date and time the certificate is set to expire +| `CertificateCountersignatureTime` | datetime | Date and time the certificate was countersigned +| `IsTrusted` | boolean | Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes +| `IsRootSignerMicrosoft` | boolean | Indicates whether the signer of the root certificate is Microsoft +| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. + + +## Related topics +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md index e1cbdc7933..85f9a0c799 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md @@ -23,8 +23,7 @@ ms.date: 10/08/2019 **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -> [!TIP] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for advanced hunting. To understand these concepts better, run your first query. @@ -141,5 +140,4 @@ For detailed information about the query language, see [Kusto query language doc - [Understand the schema](advanced-hunting-schema-reference.md) - [Apply query best practices](advanced-hunting-best-practices.md) -> [!TIP] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index 7c64003218..8eb7542ce5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -15,7 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2019 +ms.date: 01/14/2020 --- # Understand the advanced hunting schema @@ -47,6 +47,7 @@ Table and column names are also listed within the Microsoft Defender Security Ce | **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events | | **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events | | **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | +| **[DeviceFileCertificateInfoBeta](advanced-hunting-devicefilecertificateinfobeta-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints | | **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products | | **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available | | **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices | diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index 3bf7ffba39..62a32da91b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -27,6 +27,7 @@ Method |Return Type |Description :---|:---|:--- [Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object. [List alerts](get-alerts.md) | [Alert](alerts.md) collection | List [alert](alerts.md) collection. +[Update alert](get-alerts.md) | [Alert](update-alert.md) | Update specific [alert](alerts.md). [Create alert](create-alert-by-reference.md)|[Alert](alerts.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md). [List related domains](get-alert-related-domain-info.md)|Domain collection| List URLs associated with the alert. [List related files](get-alert-related-files-info.md) | [File](files.md) collection | List the [file](files.md) entities that are associated with the [alert](alerts.md). @@ -59,19 +60,8 @@ detectionSource | String | Detection source. threatFamilyName | String | Threat family. machineId | String | ID of a [machine](machine.md) entity that is associated with the alert. comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time. -alertFiles | List of Alert Files | **This list will be populated on $expand option, see example below** Alert File is an object that contains: sha1, sha256, filePath and fileName. -alertIPs | List of Alert IPs | **This list will be populated on $expand option, see example below** Alert IP is an object that contains: ipAddress string field. -alertDomains | List of Alert Domains | **This list will be populated on $expand option, see example below** Alert Domain is an object that contains: host string field. - -## JSON representation: - -- When querying for alert list the regular way (without expand option, e.g. /api/alerts) the expandable properties will not get populated (empty lists) -- To expand expandable properties use $expand option (e.g. to expand all send /api/alerts?$expand=files,ips,domains). -- When querying single alert all expandable properties will be expanded. -- Check out [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) for more OData examples. - ### Response example for getting single alert: ``` @@ -83,12 +73,12 @@ GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-2929 "id": "da637084217856368682_-292920499", "incidentId": 66860, "investigationId": 4416234, + "investigationState": "Running", "assignedTo": "secop@contoso.com", "severity": "Low", "status": "New", "classification": "TruePositive", "determination": null, - "investigationState": "Running", "detectionSource": "WindowsDefenderAtp", "category": "CommandAndControl", "threatFamilyName": null, @@ -106,24 +96,6 @@ GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-2929 "createdBy": "secop@contoso.com", "createdTime": "2019-11-05T14:08:37.8404534Z" } - ], - "alertFiles": [ - { - "sha1": "77e862797dd525fd3e9c3058153247945d0d4cfd", - "sha256": "c05823562aee5e6d000b0e041197d5b8303f5aa4eecb49820879b705c926e16e", - "filePath": "C:\\Users\\test1212\\AppData\\Local\\Temp\\nsf61D3.tmp.exe", - "fileName": "nsf61D3.tmp.exe" - } - ], - "alertDomains": [ - { - "host": "login.bullguard.com" - } - ], - "alertIps": [ - { - "ipAddress": "91.231.212.53" - } ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md index 425ad57ee8..589b46db48 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md +++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md @@ -1,5 +1,5 @@ --- -title: Microsoft Defender Advanced Threat Protection API overview +title: Access the Microsoft Defender Advanced Threat Protection APIs ms.reviewer: description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender ATP capabilities keywords: apis, api, wdatp, open api, windows defender atp api, public api, supported apis, alerts, machine, user, domain, ip, file, advanced hunting, query @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Microsoft Defender ATP API overview +# Access the Microsoft Defender Advanced Threat Protection APIs **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index fbfaeaf1bc..1596496d14 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -18,11 +18,19 @@ ms.topic: article --- # Collect investigation package API -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Collect investigation package from a machine. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -74,25 +82,3 @@ Content-type: application/json "Comment": "Collect forensics due to alert 1234" } ``` - -**Response** - -Here is an example of the response. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "c9042f9b-8483-4526-87b5-35e4c2532223", - "type": "CollectInvestigationPackage", - "requestor": "Analyst@contoso.com", - "requestorComment": " Collect forensics due to alert 1234", - "status": "InProgress", - "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", - "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z", - "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z", - "relatedFileInfo": null -} - -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index 521fbb5621..ad965c75e5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/16/2017 --- # Pull detections to your SIEM tools @@ -56,13 +55,3 @@ Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md). -## In this section - -Topic | Description -:---|:--- -[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools. -[Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections. -[Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections. -[Microsoft Defender ATP Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center. -[Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API. -[Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature. diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index 077445f7c7..2e5c7cec45 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -16,13 +16,24 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Create alert from event API +# Create alert API **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Create alert using event data, as obtained from [Advanced Hunting](run-advanced-query-api.md) for creating a new alert. + +## API description +Creates new [Alert](alerts.md). +
Microsoft Defender ATP Event is a required parameter for the alert creation. +
You can use an event found in Advanced Hunting API or Portal. +
If there existing an open alert on the same Machine with the same Title, the new created alert will be merged with it. +
An automatic investigation starts automatically on alerts created via the API. + + +## Limitations +1. Rate limitations for this API are 15 calls per minute. + ## Permissions diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md index 27ffb12de8..1c03a39e93 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md @@ -18,15 +18,18 @@ ms.topic: article # Delete Indicator API -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ->[!Note] -> Currently this API is only supported for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information) +## API description +Deletes an [Indicator](ti-indicator.md) entity by ID. -- Deletes an Indicator entity by ID. +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) @@ -66,15 +69,5 @@ If Indicator with the specified id was not found - 404 Not Found. Here is an example of the request. ``` -DELETE https://api.securitycenter.windows.com/api/indicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f -``` - -**Response** - -Here is an example of the response. - - -``` -HTTP/1.1 204 NO CONTENT - +DELETE https://api.securitycenter.windows.com/api/indicators/995 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md index 5e9a5f5e75..1741fdf531 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md @@ -130,7 +130,7 @@ h. Select  **Manage > Assignments**. In the  **Include**  tab, select  * In terminal, run: ```bash - mdatp --edr --earlypreview true + mdatp --edr --early-preview true ``` For versions earlier than 100.78.0, run: diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md index fbcee47cf2..cb90cee7fe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md @@ -51,25 +51,25 @@ Content-type: application/json "value": [ { "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "osVersion": "10.0.0.0", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "agentVersion": "10.5830.18209.1001", - "osBuild": 18209, - "healthStatus": "Active", - "rbacGroupId": 140, - "rbacGroupName": "The-A-Team", - "riskScore": "High", - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "version": "1709", + "osProcessor": "x64", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "exposureLevel": "Medium", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "ExampleTag" ] }, - . - . - . + ... ] } ``` @@ -79,7 +79,7 @@ Content-type: application/json - Get all the alerts that created after 2018-10-20 00:00:00 ``` -HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime gt 2018-11-22T00:00:00Z +HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime+gt+2018-11-22T00:00:00Z ``` **Response:** @@ -91,28 +91,35 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", "value": [ { - "id": "121688558380765161_2136280442", - "incidentId": 7696, - "assignedTo": "secop@contoso.com", - "severity": "High", - "status": "New", - "classification": "TruePositive", - "determination": "Malware", - "investigationState": "Running", - "category": "MalwareDownload", - "detectionSource": "WindowsDefenderAv", - "threatFamilyName": "Mikatz", - "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description", - "alertCreationTime": "2018-11-26T16:19:21.8409809Z", - "firstEventTime": "2018-11-26T16:17:50.0948658Z", - "lastEventTime": "2018-11-26T16:18:01.809871Z", - "resolvedTime": null, - "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + "id": "da637084217856368682_-292920499", + "incidentId": 66860, + "investigationId": 4416234, + "investigationState": "Running", + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "New", + "classification": "TruePositive", + "determination": null, + "detectionSource": "WindowsDefenderAtp", + "category": "CommandAndControl", + "threatFamilyName": null, + "title": "Network connection to a risky host", + "description": "A network connection was made to a risky host which has exhibited malicious activity.", + "alertCreationTime": "2019-11-03T23:49:45.3823185Z", + "firstEventTime": "2019-11-03T23:47:16.2288822Z", + "lastEventTime": "2019-11-03T23:47:51.2966758Z", + "lastUpdateTime": "2019-11-03T23:55:52.6Z", + "resolvedTime": null, + "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd", + "comments": [ + { + "comment": "test comment for docs", + "createdBy": "secop@contoso.com", + "createdTime": "2019-11-05T14:08:37.8404534Z" + } + ] }, - . - . - . + ... ] } ``` @@ -122,7 +129,7 @@ Content-type: application/json - Get all the machines with 'High' 'RiskScore' ``` -HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore eq 'High' +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+eq+'High' ``` **Response:** @@ -135,25 +142,25 @@ Content-type: application/json "value": [ { "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "osVersion": "10.0.0.0", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "agentVersion": "10.5830.18209.1001", - "osBuild": 18209, - "healthStatus": "Active", - "rbacGroupId": 140, - "rbacGroupName": "The-A-Team", - "riskScore": "High", - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "version": "1709", + "osProcessor": "x64", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "High", + "exposureLevel": "Medium", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "ExampleTag" ] }, - . - . - . + ... ] } ``` @@ -163,7 +170,7 @@ Content-type: application/json - Get top 100 machines with 'HealthStatus' not equals to 'Active' ``` -HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus ne 'Active'&$top=100 +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100 ``` **Response:** @@ -176,25 +183,25 @@ Content-type: application/json "value": [ { "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "osVersion": "10.0.0.0", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "agentVersion": "10.5830.18209.1001", - "osBuild": 18209, - "healthStatus": "Active", - "rbacGroupId": 140, - "rbacGroupName": "The-A-Team", - "riskScore": "High", - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "version": "1709", + "osProcessor": "x64", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "osBuild": 18209, + "healthStatus": "ImpairedCommunication", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "exposureLevel": "Medium", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "ExampleTag" ] }, - . - . - . + ... ] } ``` @@ -217,25 +224,25 @@ Content-type: application/json "value": [ { "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "osVersion": "10.0.0.0", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "agentVersion": "10.5830.18209.1001", - "osBuild": 18209, - "healthStatus": "Active", - "rbacGroupId": 140, - "rbacGroupName": "The-A-Team", - "riskScore": "High", - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "version": "1709", + "osProcessor": "x64", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "osBuild": 18209, + "healthStatus": "ImpairedCommunication", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "exposureLevel": "Medium", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "ExampleTag" ] }, - . - . - . + ... ] } ``` @@ -245,7 +252,7 @@ Content-type: application/json - Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP ``` -HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@WcdTestPrd.onmicrosoft.com' and type eq 'RunAntiVirusScan' +HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan' ``` **Response:** @@ -257,19 +264,19 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions", "value": [ { - "id": "5c3e3322-d993-1234-1111-dfb136ebc8c5", + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", "type": "RunAntiVirusScan", - "requestor": "Analyst@examples.onmicrosoft.com", - "requestorComment": "1533", + "scope": "Full", + "requestor": "Analyst@contoso.com", + "requestorComment": "Check machine for viruses due to alert 3212", "status": "Succeeded", - "machineId": "123321c10e44a82877af76b1d0161a17843f688a", - "creationDateTimeUtc": "2018-11-12T13:33:24.5755657Z", - "lastUpdateDateTimeUtc": "2018-11-12T13:34:32.0319826Z", - "relatedFileInfo": null + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "computerDnsName": "desktop-39g9tgl", + "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z", + "relatedFileInfo": null }, - . - . - . + ... ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/files.md b/windows/security/threat-protection/microsoft-defender-atp/files.md index d4cc5e85cb..5ef6fc7ec4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/files.md @@ -17,9 +17,10 @@ ms.topic: article --- # File resource type -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Represent a file entity in Microsoft Defender ATP. @@ -37,11 +38,10 @@ Property | Type | Description :---|:---|:--- sha1 | String | Sha1 hash of the file content sha256 | String | Sha256 hash of the file content -md5 | String | md5 hash of the file content -globalPrevalence | Integer | File prevalence across organization +globalPrevalence | Nullable long | File prevalence across organization globalFirstObserved | DateTimeOffset | First time the file was observed. globalLastObserved | DateTimeOffset | Last time the file was observed. -size | Integer | Size of the file. +size | Nullable long | Size of the file. fileType | String | Type of the file. isPeFile | Boolean | true if the file is portable executable (e.g. "DLL", "EXE", etc.) filePublisher | String | File publisher. @@ -50,3 +50,29 @@ signer | String | File signer. issuer | String | File issuer. signerHash | String | Hash of the signing certificate. isValidCertificate | Boolean | Was signing certificate successfully verified by Microsoft Defender ATP agent. +determinationType | String | The determination type of the file. +determinationValue | String | Determination value. + + +## Json representation + +```json +{ + "sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3", + "sha256": "413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462", + "globalPrevalence": 180022, + "globalFirstObserved": "2017-09-19T03:51:27.6785431Z", + "globalLastObserved": "2020-01-06T03:59:21.3229314Z", + "size": 22139496, + "fileType": "APP", + "isPeFile": true, + "filePublisher": "CHENGDU YIWO Tech Development Co., Ltd.", + "fileProductName": "EaseUS MobiSaver for Android", + "signer": "CHENGDU YIWO Tech Development Co., Ltd.", + "issuer": "VeriSign Class 3 Code Signing 2010 CA", + "signerHash": "6c3245d4a9bc0244d99dff27af259cbbae2e2d16", + "isValidCertificate": false, + "determinationType": "Pua", + "determinationValue": "PUA:Win32/FusionCore" +} +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md index c803a1d4de..5976574977 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md @@ -18,13 +18,19 @@ ms.topic: article # Find machines by internal IP API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp. -The given timestamp must be in the past 30 days. +## API description +Find [Machines](machine.md) seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp. + + +## Limitations +1. The given timestamp must be in the past 30 days. +2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -70,37 +76,5 @@ Here is an example of the request. [!include[Improve request performance](../../includes/improve-request-performance.md)] ``` -GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2018-09-22T08:44:05Z) -``` - -**Response** - -Here is an example of the response. - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", - "value": [ - { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-09-22T08:55:03.7791856Z", - "osPlatform": "Windows10", - "osVersion": "10.0.0.0", - "lastIpAddress": "10.248.240.38", - "lastExternalIpAddress": "167.220.196.71", - "agentVersion": "10.5830.18209.1001", - "osBuild": 18209, - "healthStatus": "Active", - "rbacGroupId": 140, - "rbacGroupName": "The-A-Team", - "riskScore": "Low", - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] - } - ] -} +GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2019-09-22T08:44:05Z) ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md index d410e5fdb4..f065b2faab 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md @@ -18,11 +18,19 @@ ms.topic: article # Get alert information by ID API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Retrieves specific [Alert](alerts.md) by its ID. + + +## Limitations +1. You can get alerts last updated in the past 30 days. +2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -Retrieves an alert by its ID. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -56,46 +64,3 @@ Empty ## Response If successful, this method returns 200 OK, and the [alert](alerts.md) entity in the response body. If alert with the specified id was not found - 404 Not Found. - - -## Example - -**Request** - -Here is an example of the request. - -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/api/alerts/441688558380765161_2136280442 -``` - -**Response** - -Here is an example of the response. - - -``` -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", - "id": "441688558380765161_2136280442", - "incidentId": 8633, - "assignedTo": "secop@contoso.com", - "severity": "Low", - "status": "InProgress", - "classification": "TruePositive", - "determination": "Malware", - "investigationState": "Running", - "category": "MalwareDownload", - "detectionSource": "WindowsDefenderAv", - "threatFamilyName": "Mikatz", - "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description", - "alertCreationTime": "2018-11-25T16:19:21.8409809Z", - "firstEventTime": "2018-11-25T16:17:50.0948658Z", - "lastEventTime": "2018-11-25T16:18:01.809871Z", - "resolvedTime": null, - "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" -} - -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md index 001e90c95f..bfafa218ea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md @@ -18,12 +18,20 @@ ms.topic: article # Get alert related domain information API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Retrieves all domains related to a specific alert. + +## Limitations +1. You can query on alerts last updated in the past 30 days. +2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -79,7 +87,11 @@ Content-type: application/json "value": [ { "host": "www.example.com" + }, + { + "host": "www.example2.com" } + ... ] } diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md index c8605dc7cd..89838eb90d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md @@ -18,12 +18,20 @@ ms.topic: article # Get alert related files information API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Retrieves all files related to a specific alert. + +## Limitations +1. You can query on alerts last updated in the past 30 days. +2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -79,23 +87,25 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files", "value": [ { - "sha1": "654f19c41d9662cf86be21bf0af5a88c38c56a9d", - "sha256": "2f905feec2798cee6f63da2c26758d86bfeaab954c01e20ac7085bf55fedde87", - "md5": "82849dc81d94056224445ea73dc6153a", - "globalPrevalence": 33, - "globalFirstObserved": "2018-07-17T18:17:27.5909748Z", - "globalLastObserved": "2018-08-06T16:07:12.9414137Z", - "windowsDefenderAVThreatName": null, - "size": 801112, - "fileType": "PortableExecutable", + "sha1": "f2a00fd2f2de1be0214b8529f1e9f67096c1aa70", + "sha256": "dcd71ef5fff4362a9f64cf3f96f14f2b11d6f428f3badbedcb9ff3361e7079aa", + "md5": "8d5b7cc9a832e21d22503057e1fec8e9", + "globalPrevalence": 29, + "globalFirstObserved": "2019-03-23T23:54:06.0135204Z", + "globalLastObserved": "2019-04-23T00:43:20.0489831Z", + "size": 113984, + "fileType": null, "isPeFile": true, - "filePublisher": null, - "fileProductName": null, - "signer": "Microsoft Windows", - "issuer": "Microsoft Development PCA 2014", - "signerHash": "9e284231a4d1c53fc8d4492b09f65116bf97447f", - "isValidCertificate": true + "filePublisher": "Microsoft Corporation", + "fileProductName": "Microsoft Windows Operating System", + "signer": "Microsoft Corporation", + "issuer": "Microsoft Code Signing PCA", + "signerHash": "9dc17888b5cfad98b3cb35c1994e96227f061675", + "isValidCertificate": true, + "determinationType": "Unknown", + "determinationValue": null } + ... ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md index 69d6da0bf6..f012975e19 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md @@ -16,14 +16,22 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get alert related IP information API +# Get alert related IPs information API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Retrieves all IPs related to a specific alert. + +## Limitations +1. You can query on alerts last updated in the past 30 days. +2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -85,6 +93,7 @@ Content-type: application/json { "id": "23.203.232.228 } + ... ] } diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index bd98f47f1b..be84e2c9ca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -18,11 +18,19 @@ ms.topic: article # Get alert related machine information API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Retrieves [Machine](machine.md) related to a specific alert. + + +## Limitations +1. You can query on alerts last updated in the past 30 days. +2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -Retrieves machine that is related to a specific alert. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -85,15 +93,16 @@ Content-type: application/json "firstSeen": "2018-08-02T14:55:03.7791856Z", "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", - "osVersion": "10.0.0.0", + "version": "1709", + "osProcessor": "x64", "lastIpAddress": "172.17.230.209", "lastExternalIpAddress": "167.220.196.71", - "agentVersion": "10.5830.18209.1001", "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, "rbacGroupName": "The-A-Team", "riskScore": "Low", + "exposureLevel": "Medium", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "machineTags": [ "test tag 1", "test tag 2" ] diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md index ac8b284b43..d0e078abac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md @@ -18,11 +18,19 @@ ms.topic: article # Get alert related user information API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Retrieves the User related to a specific alert. + + +## Limitations +1. You can query on alerts last updated in the past 30 days. +2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -Retrieves the user associated to a specific alert. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -80,13 +88,16 @@ Content-type: application/json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity", "id": "contoso\\user1", - "firstSeen": "2018-08-02T00:00:00Z", - "lastSeen": "2018-08-04T00:00:00Z", - "mostPrevalentMachineId": null, - "leastPrevalentMachineId": null, + "accountName": "user1", + "accountDomain": "contoso", + "accountSid": "S-1-5-21-72051607-1745760036-109187956-93922", + "firstSeen": "2019-12-08T06:33:39Z", + "lastSeen": "2020-01-05T06:58:34Z", + "mostPrevalentMachineId": "0111b647235c26159bec3e5eb6c8c3a0cc3ab766", + "leastPrevalentMachineId": "0111b647235c26159bec3e5eb6c8c3a0cc3ab766", "logonTypes": "Network", - "logOnMachinesCount": 3, + "logOnMachinesCount": 1, "isDomainAdmin": false, - "isOnlyNetworkUser": null + "isOnlyNetworkUser": false } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index b6056a66b3..33337c0f38 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -22,13 +22,19 @@ ms.topic: article - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Retrieves a collection of Alerts. +
Supports [OData V4 queries](https://www.odata.org/documentation/). +
The OData's ```$filter``` query is supported on: ```alertCreationTime```, ```incidentId```, ```InvestigationId```, ```status```, ```severity``` and ```category``` properties. +
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) -Supports [OData V4 queries](https://www.odata.org/documentation/). -The OData's Filter query is supported on: "alertCreationTime", "incidentId", "InvestigationId", "status", "severity" and "category". +## Limitations +1. You can get alerts last updated in the past 30 days. +2. Maximum page size is 10,000. +3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -50,10 +56,6 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' GET /api/alerts ``` -## Optional query parameters -Method supports $top, $select, $filter, $expand and $skip query parameters. -
$expand is available on Files, IPs and Domains. e.g. $expand=files,domains - ## Request headers Name | Type | Description @@ -120,11 +122,9 @@ Here is an example of the response. "createdBy": "secop@contoso.com", "createdTime": "2019-11-05T14:08:37.8404534Z" } - ], - "alertFiles": [], - "alertDomains": [], - "alertIps": [] + ] } + ... ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md index 07b687504d..4207a4cc3b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md @@ -15,6 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ROBOTS: NOINDEX --- # Get CVE-KB map API diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md index f835f9bc06..73b5a29c5d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md @@ -18,11 +18,19 @@ ms.topic: article # Get domain related alerts API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Retrieves a collection of [Alerts](alerts.md) related to a given domain address. + + +## Limitations +1. You can query on alerts last updated in the past 30 days. +2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -Retrieves a collection of alerts related to a given domain address. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -68,58 +76,3 @@ Here is an example of the request. ``` GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts ``` - -**Response** - -Here is an example of the response. - -``` -HTTP/1.1 200 OK -Content-type: application/json - -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", - "value": [ - { - "id": "441688558380765161_2136280442", - "incidentId": 8633, - "assignedTo": "secop@contoso.com", - "severity": "Low", - "status": "InProgress", - "classification": "TruePositive", - "determination": "Malware", - "investigationState": "Running", - "category": "MalwareDownload", - "detectionSource": "WindowsDefenderAv", - "threatFamilyName": "Mikatz", - "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description", - "alertCreationTime": "2018-11-25T16:19:21.8409809Z", - "firstEventTime": "2018-11-25T16:17:50.0948658Z", - "lastEventTime": "2018-11-25T16:18:01.809871Z", - "resolvedTime": null, - "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" - }, - { - "id": "121688558380765161_2136280442", - "incidentId": 4123, - "assignedTo": "secop@contoso.com", - "severity": "Low", - "status": "InProgress", - "classification": "TruePositive", - "determination": "Malware", - "investigationState": "Running", - "category": "MalwareDownload", - "detectionSource": "WindowsDefenderAv", - "threatFamilyName": "Mikatz", - "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description", - "alertCreationTime": "2018-11-24T16:19:21.8409809Z", - "firstEventTime": "2018-11-24T16:17:50.0948658Z", - "lastEventTime": "2018-11-24T16:18:01.809871Z", - "resolvedTime": null, - "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" - } - ] -} -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md index 3d5d3cd534..b8b6be1268 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md @@ -17,10 +17,20 @@ ms.topic: article --- # Get domain related machines API -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Retrieves a collection of machines that have communicated to or from a given domain address. +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Retrieves a collection of [Machines](machine.md) that have communicated to or from a given domain address. + + +## Limitations +1. You can query on machines last seen in the past 30 days. +2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -68,54 +78,3 @@ Here is an example of the request. ``` GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines ``` - -**Response** - -Here is an example of the response. - - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", - "value": [ - { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "osVersion": "10.0.0.0", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "agentVersion": "10.5830.18209.1001", - "osBuild": 18209, - "healthStatus": "Active", - "rbacGroupId": 140, - "rbacGroupName": "The-A-Team", - "riskScore": "Low", - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] - }, - { - "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", - "computerDnsName": "mymachine2.contoso.com", - "firstSeen": "2018-07-09T13:22:45.1250071Z", - "lastSeen": "2018-07-09T13:22:45.1250071Z", - "osPlatform": "Windows10", - "osVersion": "10.0.0.0", - "lastIpAddress": "192.168.12.225", - "lastExternalIpAddress": "79.183.65.82", - "agentVersion": "10.5820.17724.1000", - "osBuild": 17724, - "healthStatus": "Inactive", - "rbacGroupId": 140, - "rbacGroupName": "The-A-Team", - "riskScore": "Low", - "aadDeviceId": null, - "machineTags": [ "test tag 1" ] - } - ] -} -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md index a74fa5c9ca..77725715cd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md @@ -18,10 +18,18 @@ ms.topic: article # Get domain statistics API -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Retrieves the statistics on the given domain. + + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -Retrieves the prevalence for the given domain. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md index 0c499a7062..db2c9f018f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md @@ -17,10 +17,19 @@ ms.topic: article --- # Get file information API -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Retrieves a file by identifier Sha1, Sha256, or MD5. +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Retrieves a [File](files.md) by identifier Sha1, or Sha256 + + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -62,7 +71,7 @@ Here is an example of the request. [!include[Improve request performance](../../includes/improve-request-performance.md)] ``` -GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1 +GET https://api.securitycenter.windows.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3 ``` **Response** @@ -74,22 +83,22 @@ Here is an example of the response. HTTP/1.1 200 OK Content-type: application/json { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity", - "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1", - "sha256": "d4447dffdbb2889b4b4e746b0bc882df1b854101614b0aa83953ef3cb66904cf", - "md5": "7f05a371d2beffb3784fd2199f81d730", - "globalPrevalence": 7329, - "globalFirstObserved": "2018-04-08T05:50:29.4459725Z", - "globalLastObserved": "2018-08-07T23:35:11.1361328Z", - "windowsDefenderAVThreatName": null, - "size": 391680, - "fileType": "PortableExecutable", - "isPeFile": true, - "filePublisher": null, - "fileProductName": null, - "signer": null, - "issuer": null, - "signerHash": null, - "isValidCertificate": null + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity", + "sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3", + "sha256": "413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462", + "globalPrevalence": 180022, + "globalFirstObserved": "2017-09-19T03:51:27.6785431Z", + "globalLastObserved": "2020-01-06T03:59:21.3229314Z", + "size": 22139496, + "fileType": "APP", + "isPeFile": true, + "filePublisher": "CHENGDU YIWO Tech Development Co., Ltd.", + "fileProductName": "EaseUS MobiSaver for Android", + "signer": "CHENGDU YIWO Tech Development Co., Ltd.", + "issuer": "VeriSign Class 3 Code Signing 2010 CA", + "signerHash": "6c3245d4a9bc0244d99dff27af259cbbae2e2d16", + "isValidCertificate": false, + "determinationType": "Pua", + "determinationValue": "PUA:Win32/FusionCore" } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md index 3f6ac44dd3..146a80fcf6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md @@ -18,12 +18,19 @@ ms.topic: article # Get file related alerts API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Retrieves a collection of alerts related to a given file hash. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -69,38 +76,3 @@ Here is an example of the request. ``` GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts ``` - -**Response** - -Here is an example of the response. - - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", - "value": [ - { - "id": "121688558380765161_2136280442", - "incidentId": 7696, - "assignedTo": "secop@contoso.com", - "severity": "High", - "status": "New", - "classification": "TruePositive", - "determination": "Malware", - "investigationState": "Running", - "category": "MalwareDownload", - "detectionSource": "WindowsDefenderAv", - "threatFamilyName": "Mikatz", - "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description", - "alertCreationTime": "2018-11-26T16:19:21.8409809Z", - "firstEventTime": "2018-11-26T16:17:50.0948658Z", - "lastEventTime": "2018-11-26T16:18:01.809871Z", - "resolvedTime": null, - "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" - } - ] -} -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md index de5d6837e9..a1e522151c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md @@ -18,11 +18,18 @@ ms.topic: article # Get file related machines API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Retrieves a collection of [Machines](machine.md) related to a given file hash. + + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -- Retrieves a collection of machines related to a given file hash. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -69,52 +76,3 @@ Here is an example of the request. ``` GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines ``` - -**Response** - -Here is an example of the response. - - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", - "value": [ - { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "osVersion": "10.0.0.0", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "agentVersion": "10.5830.18209.1001", - "osBuild": 18209, - "healthStatus": "Active", - "rbacGroupId": 140, - "riskScore": "Low", - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] - }, - { - "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", - "computerDnsName": "mymachine2.contoso.com", - "firstSeen": "2018-07-09T13:22:45.1250071Z", - "lastSeen": "2018-07-09T13:22:45.1250071Z", - "osPlatform": "Windows10", - "osVersion": "10.0.0.0", - "lastIpAddress": "192.168.12.225", - "lastExternalIpAddress": "79.183.65.82", - "agentVersion": "10.5820.17724.1000", - "osBuild": 17724, - "healthStatus": "Inactive", - "rbacGroupId": 140, - "riskScore": "Low", - "aadDeviceId": null, - "machineTags": [ "test tag 1" ] - } - ] -} -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md index 5f2cfec15b..b6abc23c5f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md @@ -18,11 +18,18 @@ ms.topic: article # Get file statistics API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Retrieves the statistics for the given file. + + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -Retrieves the prevalence for the given file. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -64,7 +71,7 @@ Here is an example of the request. [!include[Improve request performance](../../includes/improve-request-performance.md)] ``` -GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/stats +GET https://api.securitycenter.windows.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats ``` **Response** @@ -77,13 +84,15 @@ HTTP/1.1 200 OK Content-type: application/json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats", - "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1", - "orgPrevalence": "3", - "orgFirstSeen": "2018-07-15T06:13:59Z", - "orgLastSeen": "2018-08-03T16:45:21Z", + "sha1": "0991a395da64e1c5fbe8732ed11e6be064081d9f", + "orgPrevalence": "14850", + "orgFirstSeen": "2019-12-07T13:44:16Z", + "orgLastSeen": "2020-01-06T13:39:36Z", + "globalPrevalence": "705012", + "globalFirstObserved": "2015-03-19T12:20:07.3432441Z", + "globalLastObserved": "2020-01-06T13:39:36Z", "topFileNames": [ - "chrome_1.exe", - "chrome_2.exe" + "MREC.exe" ] } diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md new file mode 100644 index 0000000000..03fc53560f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md @@ -0,0 +1,110 @@ +--- +title: List Investigations API +description: Use this API to create calls related to get Investigations collection +keywords: apis, graph api, supported apis, Investigations collection +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# List Investigations API + +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Retrieves a collection of [Investigations](investigation.md). +
Supports [OData V4 queries](https://www.odata.org/documentation/). +
The OData's ```$filter``` query is supported on: ```startTime```, ```state```, ```machineId``` and ```triggeringAlertId``` properties. +
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) + + +## Limitations +1. Maximum page size is 10,000. +2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/investigations +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with a collection of [Investigations](investigation.md) entities. + + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + + +## Example + +**Request** + +Here is an example of a request to get all investigations: + + +``` +GET https://api.securitycenter.windows.com/api/investigations +``` + +**Response** + +Here is an example of the response: + + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Investigations", + "value": [ + { + "id": "63017", + "startTime": "2020-01-06T14:11:34Z", + "endTime": null, + "state": "Running", + "cancelledBy": null, + "statusDetails": null, + "machineId": "a69a22debe5f274d8765ea3c368d00762e057b30", + "computerDnsName": "desktop-gtrcon0", + "triggeringAlertId": "da637139166940871892_-598649278" + } + ... + ] +} +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md new file mode 100644 index 0000000000..933c2cde60 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md @@ -0,0 +1,66 @@ +--- +title: Get Investigation object API +description: Use this API to create calls related to get Investigation object +keywords: apis, graph api, supported apis, Investigation object +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Get Investigation API + +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Retrieves specific [Investigation](investigation.md) by its ID. +
ID can be the investigation ID or the investigation triggering alert ID. + + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/investigations/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with a [Investigations](investigation.md) entity. + diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md index e7bf04d3e1..c0088b91f6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md @@ -18,12 +18,19 @@ ms.topic: article # Get IP related alerts API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Retrieves a collection of alerts related to a given IP address. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -69,39 +76,4 @@ Here is an example of the request. ``` GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts -``` - -**Response** - -Here is an example of the response. - - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", - "value": [ - { - "id": "441688558380765161_2136280442", - "incidentId": 8633, - "assignedTo": "secop@contoso.com", - "severity": "Low", - "status": "InProgress", - "classification": "TruePositive", - "determination": "Malware", - "investigationState": "Running", - "category": "MalwareDownload", - "detectionSource": "WindowsDefenderAv", - "threatFamilyName": "Mikatz", - "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description", - "alertCreationTime": "2018-11-25T16:19:21.8409809Z", - "firstEventTime": "2018-11-25T16:17:50.0948658Z", - "lastEventTime": "2018-11-25T16:18:01.809871Z", - "resolvedTime": null, - "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" - } - ] -} -``` +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index 6f8fe6c478..9bc08c2680 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -18,11 +18,18 @@ ms.topic: article # Get IP statistics API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Retrieves the statistics for the given IP. + + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -Retrieves the prevalence for the given IP. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md index 7617020547..55e74662e6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md @@ -15,7 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/07/2018 +ROBOTS: NOINDEX --- # Get KB collection API diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md index 2f8eda6c03..aaaa6abf4d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md @@ -18,11 +18,19 @@ ms.topic: article # Get machine by ID API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Retrieves specific [Machine](machine.md) by its machine ID or computer name. + + +## Limitations +1. You can get machines last seen in the past 30 days. +2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -Retrieves a machine entity by ID. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -83,20 +91,22 @@ Content-type: application/json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine", "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "osVersion": "10.0.0.0", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "agentVersion": "10.5830.18209.1001", - "osBuild": 18209, - "healthStatus": "Active", - "rbacGroupId": 140, + "osPlatform": "Windows10", + "version": "1709", + "osProcessor": "x64", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, "rbacGroupName": "The-A-Team", - "riskScore": "Low", - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "riskScore": "Low", + "exposureLevel": "Medium", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "machineTags": [ "test tag 1", "test tag 2" ] } diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md index 9d364b0815..59e1357d2e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md @@ -18,11 +18,19 @@ ms.topic: article # Get machine log on users API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Retrieves a collection of logged on users on a specific machine. + + +## Limitations +1. You can query on machines last seen in the past 30 days. +2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -Retrieves a collection of logged on users. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -81,26 +89,19 @@ Content-type: application/json "value": [ { "id": "contoso\\user1", - "firstSeen": "2018-08-02T00:00:00Z", - "lastSeen": "2018-08-04T00:00:00Z", - "mostPrevalentMachineId": null, - "leastPrevalentMachineId": null, - "logonTypes": "Network", - "logOnMachinesCount": 3, - "isDomainAdmin": false, - "isOnlyNetworkUser": null + "accountName": "user1", + "accountDomain": "contoso", + "accountSid": "S-1-5-21-72051607-1745760036-109187956-93922", + "firstSeen": "2019-12-18T08:02:54Z", + "lastSeen": "2020-01-06T08:01:48Z", + "mostPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62", + "leastPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62", + "logonTypes": "Interactive", + "logOnMachinesCount": 8, + "isDomainAdmin": true, + "isOnlyNetworkUser": false }, - { - "id": "contoso\\user2", - "firstSeen": "2018-08-02T00:00:00Z", - "lastSeen": "2018-08-05T00:00:00Z", - "mostPrevalentMachineId": null, - "leastPrevalentMachineId": null, - "logonTypes": "Network", - "logOnMachinesCount": 3, - "isDomainAdmin": false, - "isOnlyNetworkUser": null - } + ... ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md index f6499ab7bb..dd13f88123 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md @@ -17,13 +17,20 @@ ms.topic: article --- # Get machine related alerts API -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Retrieves a collection of alerts related to a given machine ID. +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Retrieves all [Alerts](alerts.md) related to a specific machine. + + +## Limitations +1. You can query on machines last seen in the past 30 days. +2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -54,52 +61,3 @@ Empty ## Response If successful and machine exists - 200 OK with list of [alert](alerts.md) entities in the body. If machine was not found - 404 Not Found. - - -## Example - -**Request** - -Here is an example of the request. - -[!include[Improve request performance](../../includes/improve-request-performance.md)] - - -``` -GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/alerts -``` - -**Response** - -Here is an example of the response. - - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", - "value": [ - { - "id": "441688558380765161_2136280442", - "incidentId": 8633, - "assignedTo": "secop@contoso.com", - "severity": "Low", - "status": "InProgress", - "classification": "TruePositive", - "determination": "Malware", - "investigationState": "Running", - "category": "MalwareDownload", - "detectionSource": "WindowsDefenderAv", - "threatFamilyName": "Mikatz", - "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description", - "alertCreationTime": "2018-11-25T16:19:21.8409809Z", - "firstEventTime": "2018-11-25T16:17:50.0948658Z", - "lastEventTime": "2018-11-25T16:18:01.809871Z", - "resolvedTime": null, - "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" - } - ] -} -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md index 0b122f4eb6..dbcaf5b6fb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md @@ -18,10 +18,18 @@ ms.topic: article # Get machineAction API -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Retrieves specific [Machine Action](machineaction.md) by its ID. + + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -Get action performed on a machine. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -77,15 +85,17 @@ HTTP/1.1 200 Ok Content-type: application/json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", - "type": "RunAntiVirusScan", - "requestor": "Analyst@contoso.com", - "requestorComment": "Check machine for viruses due to alert 3212", + "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", + "type": "Isolate", + "scope": "Selective", + "requestor": "Analyst@TestPrd.onmicrosoft.com", + "requestorComment": "test for docs", "status": "Succeeded", - "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", - "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", - "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z", - "relatedFileInfo": null + "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378", + "computerDnsName": "desktop-test", + "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z", + "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z", + "relatedFileInfo": null } diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md index 6389f8c1f4..c9883c2e4a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md @@ -18,17 +18,22 @@ ms.topic: article # List MachineActions API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Gets collection of actions done on machines. -Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/). +## API description +Retrieves a collection of [Machine Actions](machineaction.md). +
Supports [OData V4 queries](https://www.odata.org/documentation/). +
The OData's ```$filter``` query is supported on: ```status```, ```machineId```, ```type```, ```requestor``` and ```creationDateTimeUtc``` properties. +
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) -The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc". -See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) +## Limitations +1. Maximum page size is 10,000. +2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -89,10 +94,12 @@ Content-type: application/json { "id": "69dc3630-1ccc-4342-acf3-35286eec741d", "type": "CollectInvestigationPackage", + "scope": null, "requestor": "Analyst@contoso.com", "requestorComment": "test", "status": "Succeeded", "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "computerDnsName": "desktop-39g9tgl", "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z", "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z", "relatedFileInfo": null @@ -100,10 +107,12 @@ Content-type: application/json { "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", "type": "RunAntiVirusScan", + "scope": "Full", "requestor": "Analyst@contoso.com", "requestorComment": "Check machine for viruses due to alert 3212", "status": "Succeeded", "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "computerDnsName": "desktop-39g9tgl", "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z", "relatedFileInfo": null @@ -111,10 +120,12 @@ Content-type: application/json { "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e", "type": "StopAndQuarantineFile", + "scope": null, "requestor": "Analyst@contoso.com", "requestorComment": "test", "status": "Succeeded", "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "computerDnsName": "desktop-39g9tgl", "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z", "lastUpdateTimeUtc": "2018-12-04T12:16:14.2899973Z", "relatedFileInfo": { @@ -151,10 +162,12 @@ Content-type: application/json { "id": "69dc3630-1ccc-4342-acf3-35286eec741d", "type": "CollectInvestigationPackage", + "scope": null, "requestor": "Analyst@contoso.com", "requestorComment": "test", "status": "Succeeded", "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "computerDnsName": "desktop-39g9tgl", "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z", "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z", "relatedFileInfo": null @@ -162,10 +175,12 @@ Content-type: application/json { "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", "type": "RunAntiVirusScan", + "scope": "Full", "requestor": "Analyst@contoso.com", "requestorComment": "Check machine for viruses due to alert 3212", "status": "Succeeded", "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "computerDnsName": "desktop-39g9tgl", "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z", "relatedFileInfo": null diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md index 1434e0878e..31ef6bb72d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md @@ -18,17 +18,23 @@ ms.topic: article # List machines API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -This API can do the following actions: -- Retrieves a collection of machines that have communicated with Microsoft Defender ATP cloud on the last 30 days. -- Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/). -- The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId". +## API description +Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender ATP cloud on the last 30 days. +
Supports [OData V4 queries](https://www.odata.org/documentation/). +
The OData's ```$filter``` query is supported on: ```computerDnsName```, ```lastSeen```, ```lastIpAddress```, ```healthStatus```, ```osPlatform```, ```riskScore```, ```rbacGroupId``` and ```machineTags``` properties. +
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) + + +## Limitations +1. You can get machines last seen in the past 30 days. +2. Maximum page size is 10,000. +3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) ## Permissions @@ -88,42 +94,25 @@ Content-type: application/json "value": [ { "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "osVersion": "10.0.0.0", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "agentVersion": "10.5830.18209.1001", - "osBuild": 18209, - "healthStatus": "Active", - "rbacGroupId": 140, - "rbacGroupName": "The-A-Team", - "riskScore": "Low", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] - }, - { - "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", - "computerDnsName": "mymachine2.contoso.com", - "firstSeen": "2018-07-09T13:22:45.1250071Z", - "lastSeen": "2018-07-09T13:22:45.1250071Z", - "osPlatform": "Windows10", - "osVersion": "10.0.0.0", - "lastIpAddress": "192.168.12.225", - "lastExternalIpAddress": "79.183.65.82", - "agentVersion": "10.5820.17724.1000", - "osBuild": 17724, - "healthStatus": "Inactive", + "osPlatform": "Windows10", + "version": "1709", + "osProcessor": "x64", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "osBuild": 18209, + "healthStatus": "Active", "rbacGroupId": 140, "rbacGroupName": "The-A-Team", - "riskScore": "Low", - "isAadJoined": false, - "aadDeviceId": null, - "machineTags": [ "test tag 1" ] + "riskScore": "Low", + "exposureLevel": "Medium", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] } + ... ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md index d3b61ac453..986c832afc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md @@ -18,11 +18,14 @@ ms.topic: article # Get package SAS URI API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Get a URI that allows downloading of an [Investigation package](collect-investigation-package.md). -Get a URI that allows downloading of an [investigation package](collect-investigation-package.md). ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md new file mode 100644 index 0000000000..066146d158 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md @@ -0,0 +1,54 @@ +--- +title: Become a Microsoft Defender ATP partner +ms.reviewer: +description: Learn the steps and requirements so that you can integrate your solution with Microsoft Defender ATP and be a partner +keywords: partner, integration, solution validation, certification, requirements, member, misa, application portal +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Become a Microsoft Defender ATP partner + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +To become a Microsoft Defender ATP solution partner, you'll need to follow and complete the following steps. + +## Step 1: Subscribe to a Microsoft Defender ATP Developer license +Subscribing to the [Microsoft Defender ATP Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9) allows you to use a Microsoft Defender ATP tenant with up to 10 devices for developing solutions to integrate with Microsoft Defender ATP. + +## Step 2: Fulfill the solution validation and certification requirements +The best way for technology partners to certify their integration works, is to have a joint customer approve the suggested integration design and have it tested and demoed to the Microsoft Defender ATP team. + +Once the Microsoft Defender ATP team has reviewed and approves the integration, we will direct you to be included as a partner at the Microsoft Intelligent Security Association. + +## Step 3: Become a Microsoft Intelligent Security Association member +[Microsoft Intelligent Security Association](https://www.microsoft.com/security/partnerships/intelligent-security-association) is a program specifically for Microsoft security partners to help enrich your security products and improve customer discoverability of your integrations to Microsoft security products. + +## Step 4: Get listed in the Microsoft Defender ATP partner application portal +Microsoft Defender ATP supports third-party applications discovery and integration using the in-product [partner page](partner-applications.md) that is embedded within the Microsoft Defender ATP management portal. + +To have your company listed as a partner in the in-product partner page, you will need to provide the following: + +1. A square logo (SVG). +2. Name of the product to be presented. +3. Provide a 15-word product description. +4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Please note that any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. You should allow at least 10 days for review process to be performed. +5. If you use a multi-tenant Azure AD approach, we will need the AAD application name to track usage of the application. + + +Partnership with Microsoft Defender ATP help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender ATP partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together. + +## Related topics +- [Technical partner opportunities](partner-integration.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md index 84051f2159..7ac3ed480b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md @@ -18,16 +18,21 @@ ms.topic: article # List Indicators API -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ->[!NOTE] -> Currently this API is supported only for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information) +## API description +Retrieves a collection of all active [Indicators](ti-indicator.md). +
Supports [OData V4 queries](https://www.odata.org/documentation/). +
The OData's ```$filter``` query is supported on: ```indicatorValue```, ```indicatorType```, ```creationTimeDateTimeUtc```, ```createdBy```, ```action``` and ```severity``` properties. +
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) -- Gets collection of TI Indicators. -- Get TI Indicators collection API supports [OData V4 queries](https://www.odata.org/documentation/). +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) @@ -36,7 +41,7 @@ Permission type | Permission | Permission display name :---|:---|:--- Application | Ti.ReadWrite | 'Read and write Indicators' Application | Ti.ReadWrite.All | 'Read and write All Indicators' - +Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators' ## HTTP request ``` @@ -82,26 +87,38 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators", "value": [ { + "id": "995", "indicatorValue": "12.13.14.15", "indicatorType": "IpAddress", + "action": "Alert", + "application": "demo-test", + "source": "TestPrdApp", + "sourceType": "AadApp", "title": "test", "creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z", "createdBy": "45097602-1234-5678-1234-9f453233e62c", "expirationTime": "2020-12-12T00:00:00Z", - "action": "Alert", + "lastUpdateTime": "2019-10-24T10:54:23.2009016Z", + "lastUpdatedBy": TestPrdApp, "severity": "Informational", "description": "test", "recommendedActions": "test", "rbacGroupNames": [] }, { + "id": "996", "indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", "indicatorType": "FileSha1", + "action": "AlertAndBlock", + "application": null, + "source": "TestPrdApp", + "sourceType": "AadApp", "title": "test", "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", "createdBy": "45097602-1234-5678-1234-9f453233e62c", "expirationTime": "2020-12-12T00:00:00Z", - "action": "AlertAndBlock", + "lastUpdateTime": "2019-10-24T10:54:23.2009016Z", + "lastUpdatedBy": TestPrdApp, "severity": "Informational", "description": "test", "recommendedActions": "TEST", @@ -119,7 +136,7 @@ Content-type: application/json Here is an example of a request that gets all Indicators with 'AlertAndBlock' action ``` -GET https://api.securitycenter.windows.com/api/indicators?$filter=action eq 'AlertAndBlock' +GET https://api.securitycenter.windows.com/api/indicators?$filter=action+eq+'AlertAndBlock' ``` **Response** @@ -133,13 +150,19 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators", "value": [ { - "indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "id": "997", + "indicatorValue": "111e7d15b0b3d7fac48f2bd61114db1022197f7f", "indicatorType": "FileSha1", + "action": "AlertAndBlock", + "application": null, + "source": "TestPrdApp", + "sourceType": "AadApp", "title": "test", "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", "createdBy": "45097602-1234-5678-1234-9f453233e62c", "expirationTime": "2020-12-12T00:00:00Z", - "action": "AlertAndBlock", + "lastUpdateTime": "2019-10-24T10:54:23.2009016Z", + "lastUpdatedBy": TestPrdApp, "severity": "Informational", "description": "test", "recommendedActions": "TEST", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index 724fb808b6..0eaec5311d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -18,12 +18,19 @@ ms.topic: article # Get user related alerts API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Retrieves a collection of alerts related to a given user ID. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -70,59 +77,4 @@ Here is an example of the request. ``` GET https://api.securitycenter.windows.com/api/users/user1/alerts -``` - -**Response** - -Here is an example of the response. - - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", - "value": [ - { - "id": "441688558380765161_2136280442", - "incidentId": 8633, - "assignedTo": "secop@contoso.com", - "severity": "Low", - "status": "InProgress", - "classification": "TruePositive", - "determination": "Malware", - "investigationState": "Running", - "category": "MalwareDownload", - "detectionSource": "WindowsDefenderAv", - "threatFamilyName": "Mikatz", - "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description", - "alertCreationTime": "2018-11-25T16:19:21.8409809Z", - "firstEventTime": "2018-11-25T16:17:50.0948658Z", - "lastEventTime": "2018-11-25T16:18:01.809871Z", - "resolvedTime": null, - "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" - }, - { - "id": "121688558380765161_2136280442", - "incidentId": 4123, - "assignedTo": "secop@contoso.com", - "severity": "Low", - "status": "InProgress", - "classification": "TruePositive", - "determination": "Malware", - "investigationState": "Running", - "category": "MalwareDownload", - "detectionSource": "WindowsDefenderAv", - "threatFamilyName": "Mikatz", - "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description", - "alertCreationTime": "2018-11-24T16:19:21.8409809Z", - "firstEventTime": "2018-11-24T16:17:50.0948658Z", - "lastEventTime": "2018-11-24T16:18:01.809871Z", - "resolvedTime": null, - "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" - } - ] -} -``` +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md index f1ede24b29..ec84fa1f38 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md @@ -18,12 +18,19 @@ ms.topic: article # Get user related machines API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Retrieves a collection of machines related to a given user ID. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -72,54 +79,3 @@ Here is an example of the request. ``` GET https://api.securitycenter.windows.com/api/users/user1/machines ``` - -**Response** - -Here is an example of the response. - - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", - "value": [ - { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "osVersion": "10.0.0.0", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "agentVersion": "10.5830.18209.1001", - "osBuild": 18209, - "healthStatus": "Active", - "rbacGroupId": 140, - "rbacGroupName": "The-A-Team", - "riskScore": "Low", - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] - }, - { - "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", - "computerDnsName": "mymachine2.contoso.com", - "firstSeen": "2018-07-09T13:22:45.1250071Z", - "lastSeen": "2018-07-09T13:22:45.1250071Z", - "osPlatform": "Windows10", - "osVersion": "10.0.0.0", - "lastIpAddress": "192.168.12.225", - "lastExternalIpAddress": "79.183.65.82", - "agentVersion": "10.5820.17724.1000", - "osBuild": 17724, - "healthStatus": "Inactive", - "rbacGroupId": 140, - "rbacGroupName": "The-A-Team", - "riskScore": "Low", - "aadDeviceId": null, - "machineTags": [ "test tag 1" ] - } - ] -} -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-and-integration.png b/windows/security/threat-protection/microsoft-defender-atp/images/api-and-integration.png new file mode 100644 index 0000000000..b7dea8615b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/api-and-integration.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-apis.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-apis.png new file mode 100644 index 0000000000..7a74411ba6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-apis.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-apis.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-apis.png new file mode 100644 index 0000000000..26eed612da Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-apis.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype_swupdatefilter.png b/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype_swupdatefilter.png new file mode 100644 index 0000000000..76dce431e1 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype_swupdatefilter.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secrec_flyouteolsw.png b/windows/security/threat-protection/microsoft-defender-atp/images/secrec_flyouteolsw.png new file mode 100644 index 0000000000..5d1588dee2 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secrec_flyouteolsw.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md index f875c8027f..3e95295b96 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md @@ -1,7 +1,7 @@ --- -title: Initiate machine investigation API -description: Use this API to create calls related to initiating an investigation on a machine. -keywords: apis, graph api, supported apis, initiate AutoIR investigation +title: Start Investigation API +description: Use this API to start investigation on a machine. +keywords: apis, graph api, supported apis, investigation search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -16,38 +16,39 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Initiate machine investigation API (Preview) -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +# Start Investigation API -> [!IMPORTANT] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Initiate AutoIR investigation on a machine. +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Start automated investigation on a machine. +
See [Overview of automated investigations](automated-investigations.md) for more information. ->[!Note] -> This page focuses on performing an automated investigation on a machine. See [automated investigation](automated-investigations.md) for more information. ## Limitations -1. The number of executions is limited (up to 5 calls per hour). -2. For Automated Investigation limitations, see [Automated Investigation](automated-investigations.md). +1. Rate limitations for this API are 50 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- -Application | Alert.ReadWrite.All | 'Read and write all alerts' -Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information) >- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) + ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/machines/{id}/InitiateInvestigation +POST https://api.securitycenter.microsoft.com/api/machines/{id}/startInvestigation ``` ## Request headers @@ -64,8 +65,10 @@ Parameter | Type | Description :---|:---|:--- Comment | String | Comment to associate with the action. **Required**. + ## Response -If successful, this method returns 200 OK response code with object that holds the investigation ID in the "value" parameter. If machine was not found - 404 Not Found. +If successful, this method returns 201 - Created response code and [Investigation](investigation.md) in the response body. + ## Example @@ -76,23 +79,8 @@ Here is an example of the request. [!include[Improve request performance](../../includes/improve-request-performance.md)] ``` -POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/InitiateInvestigation +POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/startInvestigation Content-type: application/json { - "Comment": "Initiate an investigation on machine fb9ab6be3965095a09c057be7c90f0a2" + "Comment": "Test investigation", } -``` - -**Response** - -Here is an example of the response. - -``` -HTTP/1.1 200 Created -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.Int64", - "value": 5146 -} - -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md new file mode 100644 index 0000000000..ec516a1afc --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/investigation.md @@ -0,0 +1,64 @@ +--- +title: Investigation resource type +description: Microsoft Defender ATP Investigation entity. +keywords: apis, graph api, supported apis, get, alerts, investigations +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Investigation resource type + +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +Represent an Automated Investigation entity in Microsoft Defender ATP. +
See [Overview of automated investigations](automated-investigations.md) for more information. + +## Methods +Method|Return Type |Description +:---|:---|:--- +[List Investigations](get-investigation-collection.md) | Investigation collection | Get collection of Investigation +[Get single Investigation](get-investigation-collection.md) | Investigation entity | Gets single Investigation entity. +[Start Investigation](initiate-autoir-investigation.md) | Investigation entity | Starts Investigation on a machine. + + +## Properties +Property | Type | Description +:---|:---|:--- +id | String | Identity of the investigation entity. +startTime | DateTime Nullable | The date and time when the investigation was created. +endTime | DateTime Nullable | The date and time when the investigation was completed. +cancelledBy | String | The ID of the user/application that cancelled that investigation. +investigationState | Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'. +statusDetails | String | Additional information about the state of the investigation. +machineId | String | The ID of the machine on which the investigation is executed. +computerDnsName | String | The name of the machine on which the investigation is executed. +triggeringAlertId | String | The ID of the alert that triggered the investigation. + + +## Json representation + +```json +{ + "id": "63004", + "startTime": "2020-01-06T13:05:15Z", + "endTime": null, + "state": "Running", + "cancelledBy": null, + "statusDetails": null, + "machineId": "e828a0624ed33f919db541065190d2f75e50a071", + "computerDnsName": "desktop-test123", + "triggeringAlertId": "da637139127150012465_1011995739" +} +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index 4a1fb9b49b..8b8c759287 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -18,12 +18,19 @@ ms.topic: article # Isolate machine API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Isolates a machine from accessing external network. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + [!include[Machine actions note](../../includes/machineactionsnote.md)] ## Permissions @@ -85,27 +92,5 @@ Content-type: application/json “IsolationType”: “Full” } -``` -**Response** -Here is an example of the response. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "b89eb834-4578-496c-8be0-03f004061435", - "type": "Isolate", - "requestor": "Analyst@contoso.com ", - "requestorComment": "Isolate machine due to alert 1234", - "status": "InProgress", - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "creationDateTimeUtc": "2017-12-04T12:12:18.9725659Z", - "lastUpdateTimeUtc": "2017-12-04T12:12:18.9725659Z", - "relatedFileInfo": null -} - -``` - -To unisolate a machine, see [Release machine from isolation](unisolate-machine.md). +- To unisolate a machine, see [Release machine from isolation](unisolate-machine.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md index 259e8692cd..083d1a181e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md @@ -225,7 +225,7 @@ $ mdatp --health healthy The above command prints "1" if the product is onboarded and functioning as expected. If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem: -- 1 if the device is not yet onboarded +- 0 if the device is not yet onboarded - 3 if the connection to the daemon cannot be established—for example, if the daemon is not running ## Logging installation issues diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md index c5b8407fc6..85deccc918 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md @@ -371,10 +371,6 @@ The following configuration profile will: ### Intune profile ```XML - - - - PayloadUUID C4E6A782-0C8D-44AB-A025-EB893987A295 PayloadType @@ -443,8 +439,6 @@ The following configuration profile will: - - ``` ## Full configuration profile example @@ -530,10 +524,6 @@ The following configuration profile contains entries for all settings described ### Intune profile ```XML - - - - PayloadUUID C4E6A782-0C8D-44AB-A025-EB893987A295 PayloadType @@ -640,8 +630,6 @@ The following configuration profile contains entries for all settings described - - ``` ## Configuration profile deployment diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 53c62c311d..43323ca96d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -19,6 +19,10 @@ ms.topic: conceptual # What's new in Microsoft Defender Advanced Threat Protection for Mac +## 100.82.60 + +- Addressed an issue where the product fails to start following a definition update. + ## 100.80.42 - Bug fixes diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index a4227c1113..4edb6f1e70 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -17,8 +17,10 @@ ms.topic: article --- # Machine resource type -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## Methods @@ -38,15 +40,41 @@ id | String | [machine](machine.md) identity. computerDnsName | String | [machine](machine.md) fully qualified name. firstSeen | DateTimeOffset | First date and time where the [machine](machine.md) was observed by Microsoft Defender ATP. lastSeen | DateTimeOffset | Last date and time where the [machine](machine.md) was observed by Microsoft Defender ATP. -osPlatform | String | OS platform. -osVersion | String | OS Version. +osPlatform | String | Operating system platform. +version | String | Operating system Version. +osBuild | Nullable long | Operating system build number. lastIpAddress | String | Last IP on local NIC on the [machine](machine.md). lastExternalIpAddress | String | Last IP through which the [machine](machine.md) accessed the internet. -agentVersion | String | Version of Microsoft Defender ATP agent. -osBuild | Nullable long | OS build number. healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication" -rbacGroupId | Int | RBAC Group ID. -rbacGroupName | String | RBAC Group Name. +rbacGroupName | String | Machine group Name. +rbacGroupId | Int | Machine group unique ID. riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. -aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine.md) is Aad Joined). +exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. +aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is Aad Joined). machineTags | String collection | Set of [machine](machine.md) tags. + + +## Json representation + +```json +{ + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "version": "1709", + "osProcessor": "x64", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "exposureLevel": "Medium", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] +} +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md index 714a678227..fdd4146f99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md @@ -18,8 +18,11 @@ ms.topic: article # MachineAction resource type -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +- See [Response Actions](respond-machine-alerts.md) for more information | Method | Return Type | Description | |:------------------------------------------------------------------|:-----------------------------------|:------------------------------------------------------------| @@ -33,6 +36,7 @@ ms.topic: article | [Remove app restriction](unrestrict-code-execution.md) | [Machine Action](machineaction.md) | Remove application execution restriction. | | [Run antivirus scan](run-av-scan.md) | [Machine Action](machineaction.md) | Run an AV scan using Windows Defender (when applicable). | | [Offboard machine](offboard-machine-api.md) | [Machine Action](machineaction.md) | Offboard [machine](machine.md) from Microsoft Defender ATP. | +| [Stop and quarantine file](stop-and-quarantine-file.md) | [Machine Action](machineaction.md) | Stop execution of a file on a machine and delete it. |
@@ -42,11 +46,31 @@ ms.topic: article |:--------------------|:---------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | id | Guid | Identity of the [Machine Action](machineaction.md) entity. | | type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution" | +| scope | string | Scope of the action. "Full" or "Selective" in case of Isolation, "Quick" or "Full" in case of Anti-Virus scan. | | requestor | String | Identity of the person that executed the action. | | requestorComment | String | Comment that was written when issuing the action. | | status | Enum | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled". | -| machineId | String | Id of the machine on which the action was executed. | +| machineId | String | Id of the [machine](machine.md) on which the action was executed. | +| machineId | String | Name of the [machine](machine.md) on which the action was executed. | | creationDateTimeUtc | DateTimeOffset | The date and time when the action was created. | | lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated. | -| relatedFileInfo | Class | Contains two Properties. 1) string 'fileIdentifier' 2) Enum 'fileIdentifierType' with the possible values: "Sha1" ,"Sha256" and "Md5". | +| relatedFileInfo | Class | Contains two Properties. string ```fileIdentifier```, Enum ```fileIdentifierType``` with the possible values: "Sha1" ,"Sha256" and "Md5". | + +## Json representation + +```json +{ + "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", + "type": "Isolate", + "scope": "Selective", + "requestor": "Analyst@TestPrd.onmicrosoft.com", + "requestorComment": "test for docs", + "status": "Succeeded", + "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378", + "computerDnsName": "desktop-test", + "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z", + "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z", + "relatedFileInfo": null +} +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md index 2ea167343f..f838be1390 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md @@ -1,8 +1,8 @@ --- title: Overview of management and APIs ms.reviewer: -description: -keywords: +description: Learn about the management tools and API categories in Microsoft Defender ATP +keywords: onboarding, api, siem, rbac, access, portal, integration, investigation, response, entities, entity, user context, application context, streaming search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -29,6 +29,8 @@ Microsoft Defender ATP supports a wide variety of options to ensure that custome Acknowledging that customer environments and structures can vary, Microsoft Defender ATP was created with flexibility and granular control to fit varying customer requirements. +## Endpoint onboarding and portal access + Machine onboarding is fully integrated into Microsoft Endpoint Configuration Manager and Microsoft Intune for client machines and Azure Security Center for server machines, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for machines management. Microsoft Defender ATP provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure: @@ -36,31 +38,39 @@ Microsoft Defender ATP provides fine-grained control over what users with access - Tiered model security operations teams - Fully segregated divisions with single centralized global security operations teams -The Microsoft Defender ATP solution is built on top of an integration-ready platform: -- It supports integration with a number of security information and event management (SIEM) solutions and also exposes APIs to fully support pulling all the alerts and detection information into any SIEM solution. -- It supports a rich set of application programming interface (APIs) providing flexibility for those who are already heavily invested in data enrichment and automation: - - Enriching events coming from other security systems with foot print or prevalence information - - Triggering file or machine level response actions through APIs - - Keeping systems in-sync such as importing machine tags from asset management systems into Microsoft Defender ATP, synchronize alerts and incidents status cross ticketing systems with Microsoft Defender ATP. +## Available APIs +The Microsoft Defender ATP solution is built on top of an integration-ready platform. -An important aspect of machine management is the ability to analyze the environment from varying and broad perspectives. This often helps drive new insights and proper priority identification: -- The Secure score dashboard provides metrics based method of prioritizing the most important proactive security measures. -- Microsoft Defender ATP includes a built-in PowerBI based reporting solution to quickly review trends and details related to Microsoft Defender ATP alerts and secure score of machines. The platform also supports full customization of the reports, including mashing of Microsoft Defender ATP data with your own data stream to produce business specific reports. - - -## In this section -Topic | Description -:---|:--- -Understand threat intelligence concepts | Learn about alert definitions, indicators of compromise, and other threat intelligence concepts. -Managed security service provider | Get a quick overview on managed security service provider support. +Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. + +![Image of available API and integration in Microsoft Defender ATP](images/mdatp-apis.png) + +The Microsoft Defender ATP APIs can be grouped into three: +- Microsoft Defender ATP APIs +- Raw data streaming API +- SIEM integration + +## Microsoft Defender ATP APIs + +Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form. + +The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, machine, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information see, [Supported APIs](exposed-apis-list.md). + +The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate machines from the network, quarantine files, and others. + +## Raw data streaming API +Microsoft Defender ATP raw data streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism. + +The Microsoft Defender ATP event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines. + +For more information see, [Raw data streaming API](raw-data-export.md). +## SIEM API +When you enable security information and event management (SIEM) integration it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. For more information see, [SIEM integration](enable-siem-integration.md) ## Related topics -- [Onboard machines](onboard-configure.md) -- [Enable the custom threat intelligence application](enable-custom-ti.md) -- [Microsoft Defender ATP Public API](apis-intro.md) -- [Pull alerts to your SIEM tools](configure-siem.md) -- [Create and build Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) -- [Role-based access control](rbac.md) +- [Access the Microsoft Defender Advanced Threat Protection APIs ](apis-intro.md) +- [Supported APIs](exposed-apis-list.md) +- [Technical partner opportunities](partner-integration.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index 6cad2a8034..be43f23ee8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -63,7 +63,7 @@ The three most recent major releases of macOS are supported. - 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra) - Disk space: 650 MB -Beta versions of macOS are not supported. macOS Sierra (10.12) support will end on January 1, 2020. +Beta versions of macOS are not supported. macOS Sierra (10.12) support ended on January 1, 2020. After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 987ba57bd7..5c52a93ff5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -174,6 +174,9 @@ When Windows Defender Antivirus is not the active antimalware in your organizati If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md). +> [!NOTE] +> Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on. + For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md index 4859c4cd49..dc86cb4ea9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md @@ -1,5 +1,5 @@ --- -title: Managed security service provider (MSSP) support +title: Managed security service provider (MSSP) partnership opportunities description: Understand how Microsoft Defender ATP integrates with managed security service providers (MSSP) keywords: mssp, integration, managed, security, service, provider search.product: eADQiWindows 10XVcnh @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Managed security service provider support +# Managed security service provider partnership opportunities **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -25,14 +25,13 @@ ms.topic: conceptual >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) - Security is recognized as a key component in running an enterprise, however some organizations might not have the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints and network, others may want to have a second set of eyes to review alerts in their network. To address this demand, managed security service providers (MSSP) offer to deliver managed detection and response (MDR) services on top of Microsoft Defender ATP. -Microsoft Defender ATP adds support for this scenario and to allow MSSPs to take the following actions: +Microsoft Defender ATP adds partnership opportunities for this scenario and allows MSSPs to take the following actions: - Get access to MSSP customer's Microsoft Defender Security Center portal - Get email notifications, and diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md index 314f1a67e6..ab3dd486d7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md @@ -18,12 +18,19 @@ ms.topic: article # Offboard machine API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Offboard machine from Microsoft Defender ATP. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + [!include[Machine actions note](../../includes/machineactionsnote.md)] ## Permissions @@ -76,26 +83,4 @@ Content-type: application/json { "Comment": "Offboard machine by automation" } -``` - -**Response** - -Here is an example of the response. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "c9042f9b-8483-4526-87b5-35e4c2532223", - "type": "OffboardMachine", - "requestor": "Analyst@contoso.com", - "requestorComment": "offboard machine by automation", - "status": "InProgress", - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z", - "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z", - "relatedFileInfo": null -} - -``` +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt index a603fac035..987d3c8ce0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt +++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt @@ -381,7 +381,12 @@ ####### [Run antivirus scan](run-av-scan.md) ####### [Offboard machine](offboard-machine-api.md) ####### [Stop and quarantine file](stop-and-quarantine-file.md) -####### [Initiate investigation (preview)](initiate-autoir-investigation.md) + +###### [Automated Investigation]() +####### [Investigation methods and properties](microsoft-defender-atp/investigation.md) +####### [List Investigation](microsoft-defender-atp/get-investigation-collection.md) +####### [Get Investigation](microsoft-defender-atp/get-investigation-object.md) +####### [Start Investigation](microsoft-defender-atp/initiate-autoir-investigation.md) ###### [Indicators]() ####### [Methods and properties](ti-indicator.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md new file mode 100644 index 0000000000..f9914b49c5 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md @@ -0,0 +1,55 @@ +--- +title: Microsoft Defender ATP partner opportunities and scenarios +ms.reviewer: +description: Learn how you can extend existing security offerings on top of the open framework and a rich set of APIs to build extensions and integrations with Microsoft Defender ATP +keywords: API, partner, extend, open framework, apis, extensions, integrations, detection, management, response, vulnerabilities, intelligence +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Microsoft Defender ATP partner opportunities and scenarios + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +Partners can easily extend their existing security offerings on top of the open framework and a rich and complete set of APIs to build extensions and integrations with Microsoft Defender ATP. + +The APIs span functional areas including detection, management, response, vulnerabilities and intelligence wide range of use cases. Based on the use case and need, partners can either stream or query data from Microsoft Defender ATP. + + +## Scenario 1: External alert correlation and Automated investigation and remediation +Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale. + +Integrating the automated investigation and response capability with other solutions such as network security products or other endpoint security products will help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices. + +Microsoft Defender ATP adds support for this scenario in the following forms: +- External alerts can be pushed into Microsoft Defender ATP and presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides the full context of the alert - with the real process and the full story of attack. + +- Once an alert is generated, the signal is shared across all Microsoft Defender ATP protected endpoints in the enterprise. Microsoft Defender ATP takes immediate automated or operator-assisted response to address the alert. + +## Scenario 2: Security orchestration and automation response (SOAR) integration +Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs exposes to orchestrate responses, such as query for device data, trigger machine isolation, block/allow, resolve alert and others. + +## Scenario 3: Indicators matching +Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives the ability to set a list of indicators for prevention, detection and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action. + +The above scenarios serve as examples of the extensibility of the platform. You are not limited to these and we certainly encourage you leverage the open framework to discover and explore other scenarios. + +Follow the steps in [Become a Microsoft Defender ATP partner](get-started-partner-integration.md) to integrate your solution in Microsoft Defender ATP. + +## Related topic +- [Overview of management and APIs](management-apis.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md index 2165a3f073..b865033486 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md @@ -18,18 +18,19 @@ ms.topic: article # Submit or Update Indicator API -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ->[!NOTE] -> Currently this API is supported only for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information) +## API description +Submits or Updates new [Indicator](ti-indicator.md) entity. +
CIDR notation for IPs is supported. +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. +2. There is a limit of 5,000 active indicators per tenant. -- Submits or Updates new [Indicator](ti-indicator.md) entity. - ->[!NOTE] ->There is a limit of 5000 indicators per tenant. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) @@ -38,6 +39,7 @@ Permission type | Permission | Permission display name :---|:---|:--- Application | Ti.ReadWrite | 'Read and write Indicators' Application | Ti.ReadWrite.All | 'Read and write All Indicators' +Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators' ## HTTP request @@ -63,16 +65,17 @@ Parameter | Type | Description indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required** indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required** action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required** -title | String | Indicator alert title. **Optional** +application | String | The application associated with the indicator. **Optional** +title | String | Indicator alert title. **Required** +description | String | Description of the indicator. **Required** expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional** severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional** -description | String | Description of the indicator. **Optional** recommendedActions | String | TI indicator alert recommended actions. **Optional** ## Response - If successful, this method returns 200 - OK response code and the created / updated [Indicator](ti-indicator.md) entity in the response body. -- If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request usually indicates incorrect body and Conflict can happen if you try to submit an Indicator that conflicts with an existing Indicator type or Action. +- If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body. ## Example @@ -84,40 +87,16 @@ Here is an example of the request. POST https://api.securitycenter.windows.com/api/indicators Content-type: application/json { - "indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f", "indicatorType": "FileSha1", "title": "test", + "application": "demo-test", "expirationTime": "2020-12-12T00:00:00Z", "action": "AlertAndBlock", "severity": "Informational", "description": "test", - "recommendedActions": "TEST" + "recommendedActions": "nothing" } -``` -**Response** - -Here is an example of the response. - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators/$entity", - "indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", - "indicatorType": "FileSha1", - "title": "test", - "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", - "createdBy": "45097602-1234-5678-1234-9f453233e62c", - "expirationTime": "2020-12-12T00:00:00Z", - "action": "AlertAndBlock", - "severity": "Informational", - "description": "test", - "recommendedActions": "TEST", - "rbacGroupNames": [] -} - -``` - ## Related topic - [Manage indicators](manage-indicators.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md index dd7b5aa37f..6addf06827 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md @@ -18,11 +18,18 @@ ms.topic: article # Restrict app execution API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Restrict execution of all applications on the machine except a predefined set. + + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts.md) for more information) [!include[Machine actions note](../../includes/machineactionsnote.md)] @@ -76,29 +83,6 @@ Content-type: application/json } ``` -**Response** -Here is an example of the response. - -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "78d408d1-384c-4c19-8b57-ba39e378011a", - "type": "RestrictCodeExecution", - "requestor": "Analyst@contoso.com ", - "requestorComment": "Restrict code execution due to alert 1234", - "status": "InProgress", - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z", - "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z", - "relatedFileInfo": null -} - -``` - -To remove code execution restriction from a machine, see [Remove app restriction](unrestrict-code-execution.md). +- To remove code execution restriction from a machine, see [Remove app restriction](unrestrict-code-execution.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md index 648cd1a9ee..10a0f81607 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md @@ -18,12 +18,19 @@ ms.topic: article # Run antivirus scan API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Initiate Windows Defender Antivirus scan on a machine. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + [!include[Machine actions note](../../includes/machineactionsnote.md)] ## Permissions @@ -85,26 +92,3 @@ Content-type: application/json } ``` -**Response** - -Here is an example of the response. - -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", - "type": "RunAntiVirusScan", - "requestor": "Analyst@contoso.com", - "requestorComment": "Check machine for viruses due to alert 3212", - "status": "InProgress", - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", - "lastUpdateTimeUtc": "2018-12-04T12:18:27.1293487Z", - "relatedFileInfo": null -} - -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md index 90a5c9e590..edfd07e6a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md @@ -18,12 +18,19 @@ ms.topic: article # Stop and quarantine file API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Stop execution of a file on a machine and delete it. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + [!include[Machine actions note](../../includes/machineactionsnote.md)] ## Permissions @@ -78,30 +85,3 @@ Content-type: application/json } ``` -**Response** - -Here is an example of the response. - -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "141408d1-384c-4c19-8b57-ba39e378011a", - "type": "StopAndQuarantineFile", - "requestor": "Analyst@contoso.com ", - "requestorComment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442", - "status": "InProgress", - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z", - "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z", - "relatedFileInfo": { - "fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9", - "fileIdentifierType": "Sha1" - } -} - -``` - diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md index c9d50043b1..c003b67a2d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md @@ -50,5 +50,19 @@ Here is an example of an IOC: IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it. +## In this section + +Topic | Description +:---|:--- +[Pull detections to your SIEM tools](configure-siem.md)| Learn about different ways to pull detections. +[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools. +[Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections. +[Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections. +[Microsoft Defender ATP Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center. +[Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API. +[Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature. + + + ## Related topics - [Manage indicators](manage-indicators.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md index 28e3bd225c..8e4d732734 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md @@ -18,9 +18,11 @@ ms.topic: article # Indicator resource type -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +- See the corresponding [Indicators page](https://securitycenter.windows.com/preferences2/custom_ti_indicators/files) in the portal. Method|Return Type |Description :---|:---|:--- @@ -28,23 +30,49 @@ Method|Return Type |Description [Submit Indicator](post-ti-indicator.md) | [Indicator](ti-indicator.md) | Submits [Indicator](ti-indicator.md) entity. [Delete Indicator](delete-ti-indicator-by-id.md) | No Content | Deletes [Indicator](ti-indicator.md) entity. -- See the corresponding [page](https://securitycenter.windows.com/preferences2/custom_ti_indicators/files) in the portal. - -For more information on creating indicators, see [Manage indicators](manage-indicators.md). ## Properties Property | Type | Description :---|:---|:--- -indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. -indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url" -title | String | Indicator alert title. +id | String | Identity of the [Indicator](ti-indicator.md) entity. +indicatorValue | String | The value of the [Indicator](ti-indicator.md). +indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". +application | String | The application associated with the indicator. +action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". +sourceType | Enum | "User" in case the Indicator created by a user (e.g. from the portal), "AadApp" in case it submitted using automated application via the API. +source | string | The name of the user/application that submitted the indicator. +createdBy | String | Unique identity of the user/application that submitted the indicator. +lastUpdatedBy | String | Identity of the user/application that last updated the indicator. creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created. -createdBy | String | Identity of the user/application that submitted the indicator. -expirationTime | DateTimeOffset | The expiration time of the indicator -action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed" -severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High" +expirationTime | DateTimeOffset | The expiration time of the indicator. +lastUpdateTime | DateTimeOffset | The last time the indicator was updated. +severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". +title | String | Indicator title. description | String | Description of the indicator. -recommendedActions | String | Indicator alert recommended actions. -rbacGroupNames | List of strings | RBAC group names where the indicator is exposed. Empty list in case it exposed to all groups. +recommendedActions | String | Recommended actions for the indicator. +rbacGroupNames | List of strings | RBAC machine group names where the indicator is exposed and active. Empty list in case it exposed to all machines. +## Json representation + +```json +{ + "id": "994", + "indicatorValue": "881c0f10c75e64ec39d257a131fcd531f47dd2cff2070ae94baa347d375126fd", + "indicatorType": "FileSha256", + "action": "AlertAndBlock", + "application": null, + "source": "user@contoso.onmicrosoft.com", + "sourceType": "User", + "createdBy": "user@contoso.onmicrosoft.com", + "severity": "Informational", + "title": "Michael test", + "description": "test", + "recommendedActions": "nothing", + "creationTimeDateTimeUtc": "2019-12-19T09:09:46.9139216Z", + "expirationTime": null, + "lastUpdateTime": "2019-12-19T09:09:47.3358111Z", + "lastUpdatedBy": null, + "rbacGroupNames": ["team1"] +} +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index 11030ae66c..5bc8ed293e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -44,12 +44,21 @@ Each machine in the organization is scored based on three important factors: thr You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need, as you require it. -From the menu, select **Security recommendations** to get an overview of the running list with its weaknesses, related components, application, operating system, network, accounts, and security controls, associated breach, threats, and recommendation insights, exposed machine trends, status, remediation type and activities. +*Security recommendations option from the left navigation menu* +1. Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open up the list of security recommendations for the threats and vulnerabilities found in your organization. It gives you an overview of the security recommendation context: weaknesses found, related components, the application and operating system where the threat or vulnerabilities were found, network, accounts, and security controls, associated breach, threats, and recommendation insights, exposed machine trends, status, remediation type and activities. ![Screenshot of Security recommendations page](images/tvm_securityrecommendation-graph.png) ->[!NOTE] -> The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens per change, which means an increase or decrease of even a single machine will change the graph's color. + >[!NOTE] + > The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than what’s on the left, which means an increase or decrease at the end of even a single machine will change the graph's color. + + You can filter your view based on related components, status, and remediation type. If you want to see the remediation activities of software and software versions which have reached their end-of-life, select **Active**, then select **Software update** from the **Remediation Type** filter, and click **Apply**. +

![Screenshot of the remediation type filters for software update and uninstall](images/remediationtype_swupdatefilter.png) + +2. Select the security recommendation that you need to investigate or process. +

![Screenshot of the security recommendation page flyout for a software which reached its end-of-life](images/secrec_flyouteolsw.png) + + *Top security recommendations from the dashboard* In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md index 9c17d1b578..40c5117a86 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md @@ -19,12 +19,19 @@ ms.topic: article # Release machine from isolation API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Undo isolation of a machine. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + [!include[Machine actions note](../../includes/machineactionsnote.md)] ## Permissions @@ -80,30 +87,7 @@ Content-type: application/json } ``` -**Response** -Here is an example of the response. ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "09a0f91e-a2eb-409d-af33-5577fe9bd558", - "type": "Unisolate", - "requestor": "Analyst@contoso.com ", - "requestorComment": "Unisolate machine since it was clean and validated ", - "status": "InProgress", - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "creationDateTimeUtc": "2018-12-04T12:13:15.0104931Z", - "lastUpdateTimeUtc": "2018-12-04T12:13:15.0104931Z", - "relatedFileInfo": null -} - -``` - -To isolate a machine, see [Isolate machine](isolate-machine.md). +- To isolate a machine, see [Isolate machine](isolate-machine.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md index fdb3691cc4..9687b34e41 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md @@ -18,12 +18,19 @@ ms.topic: article # Remove app restriction API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Enable execution of any application on the machine. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + [!include[Machine actions note](../../includes/machineactionsnote.md)] ## Permissions @@ -78,26 +85,5 @@ Content-type: application/json ``` -**Response** - -Here is an example of the response. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e", - "type": "UnrestrictCodeExecution", - "requestor": "Analyst@contoso.com", - "requestorComment": "Unrestrict code execution since machine was cleaned and validated ", - "status": "InProgress", - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z", - "lastUpdateTimeUtc": "2018-12-04T12:15:40.6052029Z", - "relatedFileInfo": null -} - -``` To restrict code execution on a machine, see [Restrict app execution](restrict-code-execution.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md index 1f6195d622..d51346f8f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md +++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md @@ -18,11 +18,21 @@ ms.topic: article # Update alert -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Updates properties of existing [Alert](alerts.md). +
Submission of **comment** is available with or without updating properties. +
Updatable properties are: ```status```, ```determination```, ```classification``` and ```assignedTo```. + + +## Limitations +1. You can update alerts that available in the API. See [List Alerts](get-alerts.md) for more information. +2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -Update the properties of an alert entity. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -51,7 +61,9 @@ Content-Type | String | application/json. **Required**. ## Request body -In the request body, supply the values for the relevant fields that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance you shouldn't include existing values that haven't change. +In the request body, supply the values for the relevant fields that should be updated. +
Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. +
For best performance you shouldn't include existing values that haven't change. Property | Type | Description :---|:---|:--- @@ -59,6 +71,7 @@ status | String | Specifies the current status of the alert. The property values assignedTo | String | Owner of the alert classification | String | Specifies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' +comment | String | Comment to be added to the alert. [!include[Improve request performance](../../includes/improve-request-performance.md)] @@ -75,35 +88,12 @@ Here is an example of the request. ``` PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442 Content-Type: application/json + { - "assignedTo": "secop2@contoso.com" -} -``` - -**Response** - -Here is an example of the response. - -``` -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity", - "id": "121688558380765161_2136280442", - "incidentId": 7696, + "status": "Resolved", "assignedTo": "secop2@contoso.com", - "severity": "High", - "status": "New", - "classification": "TruePositive", - "determination": "Malware", - "investigationState": "Running", - "category": "MalwareDownload", - "detectionSource": "WindowsDefenderAv", - "threatFamilyName": "Mikatz", - "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description", - "alertCreationTime": "2018-11-26T16:19:21.8409809Z", - "firstEventTime": "2018-11-26T16:17:50.0948658Z", - "lastEventTime": "2018-11-26T16:18:01.809871Z", - "resolvedTime": null, - "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + "classification": "FalsePositive", + "determination": "Malware", + "comment": "Resolve my alert and assign to secop2" } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/user.md b/windows/security/threat-protection/microsoft-defender-atp/user.md index 9700fea0cb..bd76e783d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user.md @@ -18,8 +18,9 @@ ms.topic: article # User resource type -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Method|Return Type |Description :---|:---|:--- diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md index 802f0fdc28..92ffe6cd6c 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md @@ -19,7 +19,7 @@ ms.date: 04/19/2017 # Interactive logon: Do not require CTRL+ALT+DEL **Applies to** -- Windows 10 +- Windows 10 Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting. @@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. -If this policy setting is enabled on a device, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. +If this policy setting is enabled on a device, a user is not required to press CTRL+ALT+DEL to log on. If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to the Windows operating system (unless they are using a smart card for logon). @@ -37,13 +37,13 @@ A malicious user might install malware that looks like the standard logon dialog ### Possible values -- Enabled -- Disabled -- Not defined +- Enabled +- Disabled +- Not defined ### Best practices -- It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Not configured**. +- It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Not configured**. ### Location diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md index b836aabd10..accf7f1ab2 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md @@ -26,7 +26,7 @@ Describes the best practices, location, values, management, and security conside ## Reference -Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). This policy setting allows you to control the locking time by using Group Policy. +Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). You can activate the screen saver by enabling the Group Policy **User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver**. This policy setting allows you to control the locking time by using Group Policy. ### Possible values diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md index c51a7da9ea..fa061b9284 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md @@ -84,7 +84,7 @@ You can disable this setting to ensure that only globally-defined lists (such as 4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Disabled**. Click **OK**. > [!NOTE] -> If you disable local list merging, it will override controlled folder access settings. It also overrides any protected folders or allowed apps set by the local administrator. For more information about controlled folder access settings, see [Enable controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). +> If you disable local list merging, it will override controlled folder access settings. It also overrides any protected folders or allowed apps set by the local administrator. For more information about controlled folder access settings, see [Allow a blocked app in Windows Security](https://support.microsoft.com/help/4046851/windows-10-allow-blocked-app-windows-security). ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 0013143d29..ed7b30ece9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -13,7 +13,7 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen audience: ITPro -ms.date: 10/02/2018 +ms.date: 01/06/2020 ms.reviewer: manager: dansimp --- @@ -25,13 +25,13 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge) -Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. +Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. For example: -* **Advertising software:** Software that displays advertisements or promotions, including software that inserts advertisements to webpages. -* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. -* **Evasion software:** Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. +* **Advertising software**: Software that displays advertisements or promotions, including software that inserts advertisements to webpages. +* **Bundling software**: Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. +* **Evasion software**: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). @@ -45,11 +45,11 @@ The next major version of Microsoft Edge, which is Chromium-based, blocks potent #### Enable PUA protection in Chromium-based Microsoft Edge -Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is off by default, it can easily be turned on from within the browser. +Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is turned off by default, it can easily be turned on from within the browser. -1. From the tool bar, select **Settings and more** > **Settings** -1. Select **Privacy and services** -1. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off +1. From the tool bar, select **Settings and more** > **Settings**. +2. Select **Privacy and services**. +3. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off. > [!TIP] > If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/). @@ -58,7 +58,7 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from PUA-associated URLs. -Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows +Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can [configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off. @@ -71,11 +71,11 @@ The potentially unwanted application (PUA) protection feature in Windows Defende > [!NOTE] > This feature is only available in Windows 10. -Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. +Windows Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. -When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. +When a PUA file is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. -The notification will appear in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). +The notification appears in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). #### Configure PUA protection in Windows Defender Antivirus @@ -105,7 +105,7 @@ For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Applicat ##### Use Group Policy to configure PUA protection -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and select **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and select **Edit**. 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. @@ -119,17 +119,30 @@ For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Applicat ##### Use PowerShell cmdlets to configure PUA protection -Use the following cmdlet: +###### To enable PUA protection ```PowerShell -Set-MpPreference -PUAProtection +Set-MpPreference -PUAProtection enable ``` - Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. +###### To set PUA protection to audit mode + +```PowerShell +Set-MpPreference -PUAProtection auditmode +``` Setting `AuditMode` will detect PUAs without blocking them. -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +###### To disable PUA protection + +We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: + +```PowerShell +Set-MpPreference -PUAProtection disable +``` +Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled. + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. #### View PUA events diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tamperattemptalert.png b/windows/security/threat-protection/windows-defender-antivirus/images/tamperattemptalert.png new file mode 100644 index 0000000000..82a7cebf32 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/tamperattemptalert.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectionturnedon.png b/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectionturnedon.png new file mode 100644 index 0000000000..37604390f6 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectionturnedon.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-consumer.png b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-consumer.png new file mode 100644 index 0000000000..87b8811411 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-consumer.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-enterprise.png b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-enterprise.png new file mode 100644 index 0000000000..0bb53680a3 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-enterprise.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-intune.png b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-intune.png new file mode 100644 index 0000000000..b0a6b01f23 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotect-intune.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotection.png b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotection.png new file mode 100644 index 0000000000..3d0c58844b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/turnontamperprotection.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index f76c49cd91..b6e4410cd1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 10/18/2019 +ms.date: 01/09/2020 ms.reviewer: manager: dansimp ms.custom: nextgen @@ -30,7 +30,7 @@ Keeping your antivirus protection up to date is critical. There are two componen - *Where* the updates are downloaded from; and - *When* updates are downloaded and applied. -This article describes the *where* - how to specify where updates should be downloaded from (this is also known as the fallback order). See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates). +This article describes how to specify from where updates should be downloaded (this is also known as the fallback order). See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates). > [!IMPORTANT] > Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update and starting Monday, October 21, 2019, all security intelligence updates will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to update your security intelligence. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). @@ -40,7 +40,7 @@ This article describes the *where* - how to specify where updates should be down ## Fallback order -Typically, you configure endpoints to individually download updates from a primary source, followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used. +Typically, you configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used. When updates are published, some logic is applied to minimize the size of the update. In most cases, only the differences between the latest update and the update that is currently installed (this is referred to as the delta) on the device is downloaded and applied. However, the size of the delta depends on two main factors: - The age of the last update on the device; and @@ -73,16 +73,13 @@ Each source has typical scenarios that depend on how your network is configured, |System Center Configuration Manager | You are using System Center Configuration Manager to update your endpoints.| |Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively.
Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).| - You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI. > [!IMPORTANT] > If you set Windows Server Update Service as a download location, you must approve the updates, regardless of the management tool you use to specify the location. You can set up an automatic approval rule with Windows Server Update Service, which might be useful as updates arrive at least once a day. To learn more, see [synchronize endpoint protection updates in standalone Windows Server Update Service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus). - The procedures in this article first describe how to set the order, and then how to set up the **File share** option if you have enabled it. - ## Use Group Policy to manage the update location 1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. @@ -103,7 +100,7 @@ The procedures in this article first describe how to set the order, and then how 4. Double-click the **Define file shares for downloading security intelligence updates** setting and set the option to **Enabled**. - 5. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://docs.microsoft.com/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths then this source will be skipped when the VM downloads updates. + 5. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://docs.microsoft.com/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths, then this source will be skipped when the VM downloads updates. 6. Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting. @@ -124,7 +121,7 @@ Use the following PowerShell cmdlets to set the update order. Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION} Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\UNC SHARE PATH} ``` -See the following for more information: +See the following articles for more information: - [Set-MpPreference -SignatureFallbackOrder](https://docs.microsoft.com/powershell/module/defender/set-mppreference) - [Set-MpPreference -SignatureDefinitionUpdateFileSharesSource](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources) - [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) @@ -139,13 +136,21 @@ SignatureFallbackOrder SignatureDefinitionUpdateFileSharesSource ``` -See the following for more information: +See the following articles for more information: - [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal) ## Use Mobile Device Management (MDM) to manage the update location See [Policy CSP - Defender/SignatureUpdateFallbackOrder](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-signatureupdatefallbackorder) for details on configuring MDM. +## What if we're using a third-party vendor? + +This article describes how to configure and manage updates for Windows Defender Antivirus. However, third-party vendors can be used to perform these tasks. + +For example, suppose that Contoso has hired Fabrikam to manage their security solution, which includes Windows Defender Antivirus. Fabrikam typically uses [Windows Management Instrumentation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus), [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus), or [Windows command-line](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to deploy patches and updates. + +> [!NOTE] +> Microsoft does not test third-party solutions for managing Windows Defender Antivirus. ## Related articles diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 817ec8cbb1..0ffdb17171 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -1,9 +1,9 @@ --- -title: Protect security settings with Tamper Protection +title: Protect security settings with tamper protection ms.reviewer: manager: dansimp -description: Use Tamper Protection to prevent malicious apps from changing important security settings. -keywords: malware, defender, antivirus, Tamper Protection +description: Use tamper protection to prevent malicious apps from changing important security settings. +keywords: malware, defender, antivirus, tamper protection search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -17,7 +17,7 @@ ms.author: deniseb ms.custom: nextgen --- -# Protect security settings with Tamper Protection +# Protect security settings with tamper protection **Applies to:** @@ -25,9 +25,9 @@ ms.custom: nextgen ## Overview -During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper Protection helps prevent this from occurring. +During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring. -With Tamper Protection, malicious apps are prevented from taking actions like these: +With tamper protection, malicious apps are prevented from taking actions like these: - Disabling virus and threat protection - Disabling real-time protection - Turning off behavior monitoring @@ -35,25 +35,38 @@ With Tamper Protection, malicious apps are prevented from taking actions like th - Disabling cloud-delivered protection - Removing security intelligence updates -## How it works +### How it works - Tamper Protection essentially locks Windows Defender Antivirus and prevents your security settings from being changed through apps and methods like these: + Tamper protection essentially locks Windows Defender Antivirus and prevents your security settings from being changed through apps and methods like these: - Configuring settings in Registry Editor on your Windows machine - Changing settings through PowerShell cmdlets - Editing or removing security settings through group policies - and so on. -Tamper Protection doesn't prevent you from viewing your security settings. And, Tamper Protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the Tamper Protection setting; this is managed by your security team. +Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; this is managed by your security team. ### What do you want to do? -[Turn Tamper Protection on (or off) for an individual machine using Windows Security](#turn-tamper-protection-on-or-off-for-an-individual-machine) +1. Turn tamper protection on
+ - [For an individual machine, use Windows Security](#turn-tamper-protection-on-or-off-for-an-individual-machine). + - [For your organization, use Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune). -[Turn Tamper Protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune) +2. [View information about tampering attempts](#view-information-about-tampering-attempts). -## Turn Tamper Protection on (or off) for an individual machine +3. [Review your security recommendations](#review-your-security-recommendations). -If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn Tamper Protection on or off. You must have appropriate admin permissions on your machine to perform the following task. +4. [Browse the frequently asked questions](#view-information-about-tampering-attempts). + +## Turn tamper protection on (or off) for an individual machine + +> [!NOTE] +> Tamper protection blocks attempts to modify Windows Defender Antivirus settings through the registry. +> +> To help ensure that tamper protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).) +> +> Once you’ve made this update, tamper protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors. + +If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do this. 1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**. @@ -61,73 +74,123 @@ If you are a home user, or you are not subject to settings managed by a security 3. Set **Tamper Protection** to **On** or **Off**. +Here's what you see in the Windows Security app: + +![Tamper protection turned on in Windows 10 Home](images/tamperprotectionturnedon.png) + +## Turn tamper protection on (or off) for your organization using Intune + +If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal ([https://aka.ms/intuneportal](https://aka.ms/intuneportal)). + > [!NOTE] -> Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry. -> -> To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).) -> -> Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors. - - -## Turn Tamper Protection on (or off) for your organization using Intune - -If you are part of your organization's security team, you can turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune). (This feature is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below.) +> The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below. You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task. -1. Make sure your organization meets the following requirements: +1. Make sure your organization meets all of the following requirements: - - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in Microsoft 365 E5. See [Microsoft 365 Enterprise overview](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview) for more details.) - - Your organization's devices must be managed by [Intune](https://docs.microsoft.com/intune/device-management-capabilities). - - Your Windows machines must be running [Windows OS 1903](https://docs.microsoft.com/windows/release-information/status-windows-10-1903) or later. - - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above) - - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). (See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).) + - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)). + - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.) + - Your Windows machines must be running Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.) + - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above). + - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).) 2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account. 3. Select **Device configuration** > **Profiles**. -4. Create a profile that includes the following settings: +4. Create a profile as follows: - - **Platform**: Windows 10 and later - - **ProfileType**: Endpoint protection - - **Settings** > Windows Defender Security Center > Tamper Protection + - Platform: **Windows 10 and later** + + - Profile type: **Endpoint protection** + + - Category: **Microsoft Defender Security Center** + + - Tamper Protection: **Enabled** + + ![Turn tamper protection on with Intune](images/turnontamperprotect-intune.png) 5. Assign the profile to one or more groups. +Here's what you see in the Windows Security app: + +![Turning tamper protection on in Windows 10 Enterprise](images/turnontamperprotect-enterprise.png) + +### Are you using Windows OS 1709, 1803, or 1809? + +If you are using Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, the one of the following procedures to determine whether tamper protection is enabled. + +#### Use PowerShell to determine whether tamper protection is turned + +1. Open the Windows PowerShell app. + +2. Use the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) PowerShell cmdlet. + +3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.) + +#### View a registry key value to determine whether tamper protection is turned on + +1. Open the Registry Editor app. + +2. Go to **HKEY_LOCAL_MACHINE** > **SOFTWARE** > **Microsoft** > **Windows Defender** > **Features**. + +3. Look for an entry of **TamperProtection** of type **REG_DWORD**, with a value of **0x5**.
+ - If you see **TamperProtection** with a value of **0**, tamper protection is not turned on. + - If you do not see **TamperProtection** at all, tamper protection is not turned on. + +## View information about tampering attempts + +Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats. + +When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)). + +![Microsoft Defender Security Center](images/tamperattemptalert.png) + +Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts. + +## Review your security recommendations + +Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image: + +![Tamper protection results in security recommendations](../images/securityrecs-tamperprotect.jpg) + +In the results, you can select **Turn on Tamper Protection** to learn more and turn it on. + +![Turn on tamper protection](tamperprotectsecurityrecos.png) + +To learn more about Threat & Vulnerability Management, see [Threat & Vulnerability Management in Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights#threat--vulnerability-management-in-microsoft-defender-security-center). + ## Frequently asked questions -### To which Windows OS versions is configuring Tamper Protection is applicable? +### To which Windows OS versions is configuring tamper protection is applicable? -Windows 1903 May release +Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). -### Is configuring Tamper Protection in Intune supported on servers? +### Is configuring tamper protection in Intune supported on servers? No -### Will Tamper Protection have any impact on third party antivirus registration? +### Will tamper protection have any impact on third party antivirus registration? -No, third-party antivirus will continue to register with the Windows Security application. +No. Third-party antivirus offerings will continue to register with the Windows Security application. -### What happens if Microsoft Defender Antivirus is not active on a device? +### What happens if Windows Defender Antivirus is not active on a device? -Tamper Protection will not have any impact on such devices. +Tamper protection will not have any impact on such devices. -### How can I turn Tamper Protection on/off? +### How can I turn tamper protection on/off? -If you are a home user, see [Turn Tamper Protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine). +If you are a home user, see [Turn tamper protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine). -If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage Tamper Protection in Intune similar to how you manage other endpoint protection features. See [Turn Tamper Protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune). +If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune). - -### How does configuring Tamper Protection in Intune affect how I manage Windows Defender Antivirus through my group policy? - -Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on. +### How does configuring tamper protection in Intune affect how I manage Windows Defender Antivirus through my group policy? +Your regular group policy doesn’t apply to tamper protection, and changes to Windows Defender Antivirus settings are ignored when tamper protection is on. >[!NOTE] ->A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Windows Defender Antivirus features protected by Tamper Protection. -To avoid any potential delays, it is recommended to remove settings that control Windows Defender Antivirus related behavior from GPO and simply allow Tamper Protection to protect Windows Defender Antivirus settings.

+>A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Windows Defender Antivirus features protected by tamper protection. To avoid any potential delays, we recommend that you remove settings that control Windows Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Windows Defender Antivirus settings.

> Sample Windows Defender Antivirus settings:
> Turn off Windows Defender Antivirus
> Computer Configuration\Administrative Templates\Windows Components\Windows Defender\ @@ -136,32 +199,31 @@ Value DisableAntiSpyware = 0

Computer Configuration\Administrative Templates\Windows Components\Windows Defender Antivirus\Real-time Protection\ Value DisableRealtimeMonitoring = 0 +### For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization only? -### For Microsoft Defender ATP E5, is configuring Tamper Protection in Intune targeted to the entire organization only? +Configuring tamper protection in Intune can be targeted to your entire organization as well as to specific devices and user groups. -Configuring Tamper Protection in Intune can be targeted to your entire organization as well as to devices and user groups with Intune. +### Can I configure tamper protection in System Center Configuration Manager? -### Can I configure Tamper Protection in System Center Configuration Manager? +Currently, managing tamper protection through System Center Configuration Manager is not supported. -Currently we do not have support to manage Tamper Protection through System Center Configuration Manager. +### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune? -### I have the Windows E3 enrollment. Can I use configuring Tamper Protection in Intune? +Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). -Currently, configuring Tamper Protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). +### What happens if I try to change Microsoft Defender ATP settings in Intune, System Center Configuration Manager, and Windows Management Instrumentation when tamper protection is enabled on a device? -### What happens if I try to change Microsoft Defender ATP settings in Intune, System Center Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device? +You won’t be able to change the features that are protected by tamper protection; such change requests are ignored. -You won’t be able to change the features that are protected by Tamper Protection; those change requests are ignored. +### I’m an enterprise customer. Can local admins change tamper protection on their devices? -### I’m an enterprise customer. Can local admins change Tamper Protection on their devices? - -No. Local admins cannot change or modify Tamper Protection settings. +No. Local admins cannot change or modify tamper protection settings. ### What happens if my device is onboarded with Microsoft Defender ATP and then goes into an off-boarded state? -In this case, Tamper Protection status changes, and this feature is no longer applied. +In this case, tamper protection status changes, and this feature is no longer applied. -### Will there be an alert about Tamper Protection status changing in the Microsoft Defender Security Center? +### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center? Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**. @@ -169,16 +231,16 @@ In addition, your security operations team can use hunting queries, such as the `AlertEvents | where Title == "Tamper Protection bypass"` -### Will there be a group policy setting for Tamper Protection? +[View information about tampering attempts](#view-information-about-tampering-attempts). + +### Will there be a group policy setting for tamper protection? No. -## Related resources - -[Windows 10 Enterprise Security](https://docs.microsoft.com/windows/security/index) +## Related articles [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) -[Microsoft 365 Enterprise overview (at a glance)](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview#at-a-glance) +[Get an overview of Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) -[Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) +[Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](why-use-microsoft-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/tamperprotectsecurityrecos.png b/windows/security/threat-protection/windows-defender-antivirus/tamperprotectsecurityrecos.png new file mode 100644 index 0000000000..69485c42e9 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/tamperprotectsecurityrecos.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index 133cd1426f..8f28ada884 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -40,7 +40,7 @@ Before you begin this process, you need to create a WDAC policy binary file. If > > - An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor. -3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Windows Defender Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1. +3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1. > [!Note] > diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 9633a7cf60..26bd6f527f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -67,7 +67,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.| | **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. | | **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. | -| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection of enforcing user-writeability and only allowing admin-writeable locations. | +| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for the path specified in the FilePathRule parameter of the New-CIPolicyRule cmdlet. | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. | ## Windows Defender Application Control file rule levels

MessageDate
Take action: January 2020 security update available for all supported versions of Windows
The January 2020 security update release, referred to as our “B” release, is now available for Windows 10, version 1909 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
January 14, 2020
08:00 AM PT
Advisory: Windows CryptoAPI certificate validation vulnerability
On January 14, 2020, Microsoft released security updates to address an elliptic-curve cryptography (ECC) certificate validation issue in the Windows CryptoAPI. This vulnerability applies to all versions of the Windows 10 operating system, client and server. While we have not observed an attack exploiting this vulnerability, we recommend that you apply this update to all of your Windows 10 devices with priority. Here is what you need to know:
  • If you are running a supported version of Windows 10 and have automatic updates enabled, you are automatically protected and do not need to take any further action.
  • If you are managing updates on behalf of your organization, you should download the latest updates from the Microsoft Security Update Guide and apply those updates to your Windows 10 devices and servers as soon as possible.
If you are running an unsupported version of Windows 10, we recommend that you upgrade to the current version of Windows 10 to benefit from the latest security protections. For more information about this vulnerability, see the Microsoft Security Guidance for CVE-2020-0601 and the Microsoft Security Response Center blog, January 2020 Security Updates: CVE-2020-0601.
January 14, 2020
08:00 AM PT
Take action: December 2019 security update available for all supported versions of Windows
The December 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1909 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
December 10, 2019
08:00 AM PT
Timing of Windows 10 optional update releases (December 2019)
For the balance of this calendar year, there will be no optional non-security “C” and “D” releases for Windows 10. The \"C\" releases normally target the third week of the month, with \"D\" releases targeting the fourth week. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer.
December 10, 2019
08:00 AM PT
Windows 10, version 1909 now available
Learn how to get Windows 10, version 1909 (the November 2019 Update), and explore how we’ve worked to make this a great experience for all devices, including a new, streamlined (and fast) update experience for devices updating directly from the May 2019 Update.
November 12, 2019
10:00 AM PT