deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 13:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into vs-test

Browse Source
This commit is contained in:
LizRoss 2017-04-04 14:49:47 -07:00
commit 3f8519fe65
30 changed files with 425 additions and 227 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
windows/configure/basic-level-windows-diagnostic-events-and-fields.md
View File

@ -342,13 +342,8 @@ The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
- **ActiveNetworkConnection** Is the device an active network device?
- **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system.
- **CosDeviceSolution** An enumeration that indicate how a driver on the target operating system is available.
- **CosDeviceSolutionUrl** Empty string
- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data.
- **IsBootCritical** Is the device boot critical?
- **SdbEntries** An array of fields indicating the SDB entries that apply to this device.
- **UplevelInboxDriver** Is there a driver uplevel for this device?
- **WuDriverCoverage** Is there a driver uplevel for this device according to Windows Update?
- **WuDriverUpdateID** The Windows Update ID of the applicable uplevel driver.
- **WuPopulatedFromID** The expected uplevel driver matching ID based on driver coverage from Windows Update.
@ -1984,7 +1979,6 @@ This event sends inventory component versions for the Device Inventory data.
The following fields are available:
- **devinv.dll** The file version of the Device inventory component.
- **aeinv** The version of the App inventory component.
- **devinv** The file version of the Device inventory component.
@ -2006,13 +2000,13 @@ The following fields are available:
- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. Example: {1BCC5142-D98C-430B-B74A-484A0328A7CE}
- **HiddenArp** Indicates whether a program hides itself from showing up in ARP. Example: TRUE
- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. Example:
- **PackageFamilyName** The package family name for a Windows Store app.
- **RootDirPath** The path to the root directory where the program was installed. Example:  %ProgramFiles% (x86)\Neudesic\Azure Storage Explorer 6
- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics) Example: 4/12/2015 01:27:52
- **InstallDateMsi** The install date if the application was installed via MSI. Passed as an array. Example: 4/11/2015 00:00:00
- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. Example: 4/8/2015 01:06:11
- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00
- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
- **objectInstanceId** ProgramId (a hash of Name, Version, Publisher, and Language of an application used to identify it). Example: 00000144865763f3de24c2ae5a289fde6db300000904
- **PackageFullName** The package full name for a Store application. Example: Microsoft.Hexic_1.2.0.36_x86__8wekyb3d8bbwe
- **InventoryVersion** The version of the inventory file generating the events.
- **StoreAppType** A sub-classification for the type of Windows Store app, such as UWP or Win8StoreApp.
@ -2048,7 +2042,6 @@ The following fields are available:
- **ModelId** A model GUID.
- **PrimaryCategory** The primary category for the device container.
- **Categories** A comma separated list of functional categories in which the container belongs.
- **Icon** The path or index to the icon file.
- **IsConnected** For physically a attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
- **IsActive** Is the device connected, or has it been seen in the last 14 days?
- **IsPaired** Does the device container require pairing?
@ -2059,6 +2052,7 @@ The following fields are available:
- **ModelNumber** The model number for the device container.
- **Manufacturer** The manufacturer name for the device container.
- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
- **objectInstanceId** ContainerId. Example: {552dd320-0dae-2794-2b41-df42fee22488}
- **InventoryVersion** The version of the inventory file generating the events.
@ -2124,8 +2118,6 @@ This event sends additional metadata about a PNP device that is specific to a pa
The following fields are available:
- **audio.captureDriver** Audio device capture driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01
- **audio.renderDriver** Audio device render driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01
- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
- **InventoryVersion** The version of the inventory file generating the events.
- **Audio_CaptureDriver** The Audio device capture driver endpoint.

4
windows/configure/change-history-for-configure-windows-10.md
View File

@ -21,4 +21,6 @@ The topics in this library have been updated for Windows 10, version 1703 (also
- [Use the Lockdown Designer app to create a Lockdown XML file](mobile-lockdown-designer.md)
- [Add image for secondary tiles](start-secondary-tiles.md)
- [Provision PCs with apps](provision-pcs-with-apps.md)
- [Provision PCs with apps](provision-pcs-with-apps.md)
- [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
- [Windows 10, version 1703 Diagnostic Data](windows-diagnostic-data.md)

2
windows/configure/index.md
View File

@ -19,6 +19,8 @@ Enterprises often need to apply custom configurations to devices for their users
| Topic | Description |
| --- | --- |
| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows telemetry in your organization. |
| [Basic level Windows diagnostic data](windows-diagnostic-data.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703. |
| [Windows 10, version 1703 diagnostic data](windows-diagnostic-data.md) | Learn about the types of data that is collected at the full level in Windows 10, version 1703. |
| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. |
| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. |

5
windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -420,6 +420,7 @@ You can also use registry entries to set these Group Policies.
| Turn off the flip ahead with page prediction feature | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead!Enabled <br /> REG_DWORD: 0|
| Turn off background synchronization for feeds and Web Slices | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds!BackgroundSyncStatus <br/> DWORD:0 |
To turn off the home page, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Disable changing home page settings**
### <a href="" id="bkmk-ie-activex"></a>8.1 ActiveX control blocking
@ -445,6 +446,8 @@ To turn off Live Tiles:
- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one).
You must also unpin all tiles that are pinned to Start.
### <a href="" id="bkmk-mailsync"></a>10. Mail synchronization
To turn off mail synchronization for Microsoft Accounts that are configured on a device:
@ -495,7 +498,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
| Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions. <br /> Default: Enabled |
| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) <br/> Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off. <br /> Default: Enabled |
| Allow web content on New Tab page | Choose whether a new tab page appears. <br /> Default: Enabled |
| Configure Home pages | Choose the corporate Home page for domain-joined devices. <br /> Set this to **about:blank** |
| Configure Start pages | Choose the Start page for domain-joined devices. <br /> Set this to **about:blank** |
The Windows 10, version 1511 Microsoft Edge Group Policy names are:

9
windows/keep-secure/TOC.md
View File

@ -781,11 +781,12 @@
######## [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
######## [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
#### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
##### [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
##### [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
##### [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
##### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
##### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
##### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
##### [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
##### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
#### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)

1
windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
View File

@ -78,3 +78,4 @@ Portal label | SIEM field name | Description
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)

4
windows/keep-secure/bitlocker-frequently-asked-questions.md
View File

@ -116,7 +116,7 @@ The following table lists what action you need to take before you perform an upg
<td align="left"><p>Decrypt</p></td>
</tr>
<tr class="even">
<td align="left"><p>Upgrade to Windows 10</p></td>
<td align="left"><p>[Feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start) for Windows 10 (example: Windows 10, version 1703)</p></td>
<td align="left"><p>Suspend</p></td>
</tr>
<tr class="odd">
@ -129,7 +129,7 @@ The following table lists what action you need to take before you perform an upg
<td align="left"><p>Suspend</p></td>
</tr>
<tr class="even">
<td align="left"><p>Software and operating system updates from Windows Update</p></td>
<td align="left"><p>Software and [quality updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start) from Windows Update</p></td>
<td align="left"><p>Nothing</p></td>
</tr>
</tbody>

60
windows/keep-secure/code/example-script.ps1
View File

@ -1,60 +0,0 @@
$authUrl = 'Your Authorization URL'
$clientId = 'Your Client ID'
$clientSecret = 'Your Client Secret'
Try
{
$tokenPayload = @{
"resource" = 'https://graph.windows.net'
"client_id" = $clientId
"client_secret" = $clientSecret
"grant_type"='client_credentials'}
"Fetching an access token"
$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
$token = $response.access_token
"Token fetched successfully"
$headers = @{
"Content-Type" = "application/json"
"Accept" = "application/json"
"Authorization" = "Bearer {0}" -f $token }
$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
$alertDefinitionPayload = @{
"Name" = "Test Alert"
"Severity" = "Medium"
"InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API feature"
"Title" = "Test alert."
"UxDescription" = "This is a test alert based on a sample custom alert definition. This alert was triggered manually using a provided test command. It indicates that the Threat Intelligence API has been properly enabled."
"RecommendedAction" = "No recommended action for this test alert."
"Category" = "SuspiciousNetworkTraffic"
"Enabled" = "true"}
"Creating an Alert Definition"
$alertDefinition =
Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
"Alert Definition created successfully"
$alertDefinitionId = $alertDefinition.Id
$iocPayload = @{
"Type"="IpAddress"
"Value"="52.184.197.12"
"DetectionFunction"="Equals"
"Enabled"="true"
"AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
"Creating an Indicator of Compromise"
$ioc =
Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
"Indicator of Compromise created successfully"
"All done!"
}
Catch
{
'Something went wrong! Got the following exception message: {0}' -f $_.Exception.Message
}

50
windows/keep-secure/code/example.ps1
View File

@ -1,50 +0,0 @@
$authUrl = 'Your Authorization URL'
$clientId = 'Your Client ID'
$clientSecret = 'Your Client Secret'
$tokenPayload = @{
"resource"='https://graph.windows.net'
"client_id" = $clientId
"client_secret" = $clientSecret
"grant_type"='client_credentials'}
$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
$token = $response.access_token
$headers = @{
"Content-Type"="application/json"
"Accept"="application/json"
"Authorization"="Bearer {0}" -f $token }
$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
$alertDefinitions =
(Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
$alertDefinitionPayload = @{
"Name"= "The alert's name"
"Severity"= "Low"
"InternalDescription"= "An internal description of the Alert"
"Title"= "The Title"
"UxDescription"= "Description of the alerts"
"RecommendedAction"= "The alert's recommended action"
"Category"= "Trojan"
"Enabled"= "true"}
$alertDefinition =
Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
$alertDefinitionId = $alertDefinition.Id
$iocPayload = @{
"Type"="Sha1"
"Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
"DetectionFunction"="Equals"
"Enabled"="true"
"AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
$ioc =
Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)

51
windows/keep-secure/code/example.py
View File

@ -1,51 +0,0 @@
import json
import requests
from pprint import pprint
auth_url="Your Authorization URL"
client_id="Your Client ID"
client_secret="Your Client Secret"
payload = {"resource": "https://graph.windows.net",
"client_id": client_id,
"client_secret": client_secret,
"grant_type": "client_credentials"}
response = requests.post(auth_url, payload)
token = json.loads(response.text)["access_token"]
with requests.Session() as session:
session.headers = {
'Authorization': 'Bearer {}'.format(token),
'Content-Type': 'application/json',
'Accept': 'application/json'}
response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
pprint(json.loads(response.text))
alert_definition = {"Name": "The alert's name",
"Severity": "Low",
"InternalDescription": "An internal description of the alert",
"Title": "The Title",
"UxDescription": "Description of the alerts",
"RecommendedAction": "The alert's recommended action",
"Category": "Trojan",
"Enabled": True}
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
json=alert_definition)
alert_definition_id = json.loads(response.text)["Id"]
ioc = {'Type': "Sha1",
'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
'DetectionFunction': "Equals",
'Enabled': True,
"AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
json=ioc)
pprint(json.loads(response.text))

1
windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
View File

@ -182,3 +182,4 @@ Windows Defender ATP alerts will appear as discrete events, with "Microsoft” a
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)

4
windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
View File

@ -46,6 +46,10 @@ The email notifications feature is turned off by default. Turn it on to start re
Check that email recipients are able to receive the email notifications by selecting **Send test email**. All recipients in the list will receive the test email.
Here's an example email notification:
![Image of example email notification](images/atp-example-email-notification.png)
## Remove email recipients
1. Select the trash bin icon beside the email address youd like to remove.

9
windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
View File

@ -34,8 +34,8 @@ To use either of these supported SIEM tools you'll need to:
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- Configure the supported SIEM tool:
- [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
For more information on the list of fields exposed in the alerts API see, [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md).
@ -51,7 +51,8 @@ For more information, see [Pull Windows Defender ATP alerts using REST API](pull
Topic | Description
:---|:---
[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
[Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
[Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
[Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
[Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
[Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API.
[Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature.

1
windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
View File

@ -138,3 +138,4 @@ Use the solution explorer to view alerts in Splunk.
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)

1
windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
View File

@ -53,3 +53,4 @@ You can now proceed with configuring your SIEM solution or connecting to the ale
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)

66
windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md
View File

@ -45,7 +45,71 @@ This step will guide you in creating an alert definition and an IOC for a malici
NOTE:<br>
Make sure you replace the `authUrl`, `clientId`, and `clientSecret` values with your details which you saved in when you enabled the threat intelligence application.
[!code[ExampleScript](./code/example-script.ps1#L1-L60)]
```
$authUrl = 'Your Authorization URL'
$clientId = 'Your Client ID'
$clientSecret = 'Your Client Secret'
Try
{
$tokenPayload = @{
"resource" = 'https://graph.windows.net'
"client_id" = $clientId
"client_secret" = $clientSecret
"grant_type"='client_credentials'}
"Fetching an access token"
$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
$token = $response.access_token
"Token fetched successfully"
$headers = @{
"Content-Type" = "application/json"
"Accept" = "application/json"
"Authorization" = "Bearer {0}" -f $token }
$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
$alertDefinitionPayload = @{
"Name" = "Test Alert"
"Severity" = "Medium"
"InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API feature"
"Title" = "Test alert."
"UxDescription" = "This is a test alert based on a sample custom alert definition. This alert was triggered manually using a provided test command. It indicates that the Threat Intelligence API has been properly enabled."
"RecommendedAction" = "No recommended action for this test alert."
"Category" = "SuspiciousNetworkTraffic"
"Enabled" = "true"}
"Creating an Alert Definition"
$alertDefinition =
Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
"Alert Definition created successfully"
$alertDefinitionId = $alertDefinition.Id
$iocPayload = @{
"Type"="IpAddress"
"Value"="52.184.197.12"
"DetectionFunction"="Equals"
"Enabled"="true"
"AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
"Creating an Indicator of Compromise"
$ioc =
Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
"Indicator of Compromise created successfully"
"All done!"
}
Catch
{
'Something went wrong! Got the following exception message: {0}' -f $_.Exception.Message
}
```
3. Run the script and verify that the operation succeeded in the results the window. Wait up to 20 minutes until the new or updated alert definition propagates to the detection engines.

BIN
windows/keep-secure/images/atp-example-email-notification.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

4
windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -23,6 +23,8 @@ localizationpriority: high
There are some minimum requirements for onboarding your network and endpoints.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1)
## Minimum requirements
You must be on Windows 10, version 1607 at a minimum.
For more information, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy).
@ -114,3 +116,5 @@ When Windows Defender is not the active antimalware in your organization and you
If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.
If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy).
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1)

114
windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
View File

@ -36,19 +36,43 @@ The following example demonstrates how to obtain an Azure AD access token that y
Replace the *authUrl*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal:
[!code[CustomTIAPI](./code/example.ps1#L1-L14)]
```powershell
$authUrl = 'Your Authorization URL'
$clientId = 'Your Client ID'
$clientSecret = 'Your Client Secret'
$tokenPayload = @{
"resource"='https://graph.windows.net'
"client_id" = $clientId
"client_secret" = $clientSecret
"grant_type"='client_credentials'}
$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
$token = $response.access_token
```
<span id="header" />
## Step 2: Create headers used for the requests with the API
Use the following code to create the headers used for the requests with the API:
[!code[CustomTIAPI](./code/example.ps1#L16-L19)]
```powershell
$headers = @{
"Content-Type"="application/json"
"Accept"="application/json"
"Authorization"="Bearer {0}" -f $token }
$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
```
<span id="calls" />
## Step 3: Create calls to the custom threat intelligence API
After creating the headers, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities:
[!code[CustomTIAPI](./code/example.ps1#L21-L24)]
```powershell
$alertDefinitions =
(Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
```
The response is empty on initial use of the API.
@ -56,18 +80,96 @@ The response is empty on initial use of the API.
## Step 4: Create a new alert definition
The following example demonstrates how you to create a new alert definition.
[!code[CustomTIAPI](./code/example.ps1#L26-L39)]
```powershell
$alertDefinitionPayload = @{
"Name"= "The alert's name"
"Severity"= "Low"
"InternalDescription"= "An internal description of the Alert"
"Title"= "The Title"
"UxDescription"= "Description of the alerts"
"RecommendedAction"= "The alert's recommended action"
"Category"= "Trojan"
"Enabled"= "true"}
$alertDefinition =
Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
```
<span id="ioc" />
## Step 5: Create a new indicator of compromise
You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
[!code[CustomTIAPI](./code/example.ps1#L43-L53)]
```powershell
$iocPayload = @{
"Type"="Sha1"
"Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
"DetectionFunction"="Equals"
"Enabled"="true"
"AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
$ioc =
Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
```
## Complete code
You can use the complete code to create calls to the API.
[!code[CustomTIAPI](./code/example.ps1#L1-L53)]
```powershell
$authUrl = 'Your Authorization URL'
$clientId = 'Your Client ID'
$clientSecret = 'Your Client Secret'
$tokenPayload = @{
"resource"='https://graph.windows.net'
"client_id" = $clientId
"client_secret" = $clientSecret
"grant_type"='client_credentials'}
$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
$token = $response.access_token
$headers = @{
"Content-Type"="application/json"
"Accept"="application/json"
"Authorization"="Bearer {0}" -f $token }
$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
$alertDefinitions =
(Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
$alertDefinitionPayload = @{
"Name"= "The alert's name"
"Severity"= "Low"
"InternalDescription"= "An internal description of the Alert"
"Title"= "The Title"
"UxDescription"= "Description of the alerts"
"RecommendedAction"= "The alert's recommended action"
"Category"= "Trojan"
"Enabled"= "true"}
$alertDefinition =
Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
$alertDefinitionId = $alertDefinition.Id
$iocPayload = @{
"Type"="Sha1"
"Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
"DetectionFunction"="Equals"
"Enabled"="true"
"AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
$ioc =
Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
```
## Related topics
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)

2
windows/keep-secure/preview-windows-defender-advanced-threat-protection.md
View File

@ -49,4 +49,4 @@ The following features are included in the preview release:
- [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) - Create custom threat intelligence alerts using the threat intelligence API to generate alerts that are applicable to your organization.
>[!NOTE]
> All response actions require machines to be on the latest Windows 10 Insider Preview build.
> All response actions require machines to be on the latest Windows 10, version 1703.

1
windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
View File

@ -193,3 +193,4 @@ HTTP error code | Description
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)

114
windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
View File

@ -38,20 +38,45 @@ The following example demonstrates how to obtain an Azure AD access token that y
Replace the *auth_url*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal:
[!code[CustomTIAPI](./code/example.py#L1-L17)]
```
import json
import requests
from pprint import pprint
auth_url="Your Authorization URL"
client_id="Your Client ID"
client_secret="Your Client Secret"
payload = {"resource": "https://graph.windows.net",
"client_id": client_id,
"client_secret": client_secret,
"grant_type": "client_credentials"}
response = requests.post(auth_url, payload)
token = json.loads(response.text)["access_token"]
```
<span id="session-object" />
## Step 2: Create request session object
Add HTTP headers to the session object, including the Authorization header with the token that was obtained.
[!code[CustomTIAPI](./code/example.py#L19-L23)]
```
with requests.Session() as session:
session.headers = {
'Authorization': 'Bearer {}'.format(token),
'Content-Type': 'application/json',
'Accept': 'application/json'}
```
<span id="calls" />
## Step 3: Create calls to the custom threat intelligence API
After adding HTTP headers to the session object, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities:
[!code[CustomTIAPI](./code/example.py#L25-L26)]
```
response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
pprint(json.loads(response.text))
```
The response is empty on initial use of the API.
@ -59,18 +84,95 @@ The response is empty on initial use of the API.
## Step 4: Create a new alert definition
The following example demonstrates how you to create a new alert definition.
[!code[CustomTIAPI](./code/example.py#L28-L39)]
```
alert_definition = {"Name": "The alert's name",
"Severity": "Low",
"InternalDescription": "An internal description of the alert",
"Title": "The Title",
"UxDescription": "Description of the alerts",
"RecommendedAction": "The alert's recommended action",
"Category": "Trojan",
"Enabled": True}
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
json=alert_definition)
```
<span id="ioc" />
## Step 5: Create a new indicator of compromise
You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
[!code[CustomTIAPI](./code/example.py#L41-L51)]
```
alert_definition_id = json.loads(response.text)["Id"]
ioc = {'Type': "Sha1",
'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
'DetectionFunction': "Equals",
'Enabled': True,
"AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
json=ioc)
```
## Complete code
You can use the complete code to create calls to the API.
[!code[CustomTIAPI](./code/example.py#L1-L53)]
```syntax
import json
import requests
from pprint import pprint
auth_url="Your Authorization URL"
client_id="Your Client ID"
client_secret="Your Client Secret"
payload = {"resource": "https://graph.windows.net",
"client_id": client_id,
"client_secret": client_secret,
"grant_type": "client_credentials"}
response = requests.post(auth_url, payload)
token = json.loads(response.text)["access_token"]
with requests.Session() as session:
session.headers = {
'Authorization': 'Bearer {}'.format(token),
'Content-Type': 'application/json',
'Accept': 'application/json'}
response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
pprint(json.loads(response.text))
alert_definition = {"Name": "The alert's name",
"Severity": "Low",
"InternalDescription": "An internal description of the alert",
"Title": "The Title",
"UxDescription": "Description of the alerts",
"RecommendedAction": "The alert's recommended action",
"Category": "Trojan",
"Enabled": True}
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
json=alert_definition)
alert_definition_id = json.loads(response.text)["Id"]
ioc = {'Type': "Sha1",
'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
'DetectionFunction': "Equals",
'Enabled': True,
"AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
json=ioc)
pprint(json.loads(response.text))
```
## Related topics
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)

36
windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
View File

@ -34,13 +34,13 @@ You can contain an attack in your organization by stopping the malicious process
The **Stop & Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
The action takes effect on machines with the latest Windows 10 Insider Preview build where the file was observed in the last 30 days.
The action takes effect on machines with the latest Windows 10, version 1703 where the file was observed in the last 30 days.
### Stop and quarantine files
1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
**Alerts** - click the corresponding links from the Description or Details in the Alert timeline
**Search box** - select File from the dropdown menu and enter the file name
- **Alerts** - click the corresponding links from the Description or Details in the Alert timeline
- **Search box** - select File from the dropdown menu and enter the file name
2. Open the **Actions menu** and select **Stop & Quarantine File**.
![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png)
@ -50,11 +50,11 @@ The action takes effect on machines with the latest Windows 10 Insider Preview b
The Action center shows the submission information:
![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png)
**Submission time** - Shows when the action was submitted.
**Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
**Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
**Success** - Shows the number of machines where the file has been stopped and quarantined.
**Failed** - Shows the number of machines where the action failed and details about the failure.
- **Submission time** - Shows when the action was submitted. <br>
- **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon. <br>
- **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.<br>
- **Success** - Shows the number of machines where the file has been stopped and quarantined.<br>
- **Failed** - Shows the number of machines where the action failed and details about the failure.<br>
4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed.
@ -108,9 +108,9 @@ The Action center shows the submission information:
![Image of block file](images/atp-blockfile.png)
**Submission time** - Shows when the action was submitted.
**Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
**Status** - Indicates whether the file was added to or removed from the blacklist.
- **Submission time** - Shows when the action was submitted. <br>
- **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon. <br>
- **Status** - Indicates whether the file was added to or removed from the blacklist.
When the file is blocked, there will be a new event in the machine timeline.</br>
@ -129,9 +129,9 @@ For prevalent files in the organization, a warning is shown before an action is
### Remove file from blocked list
1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
**Alerts** - Click the file links from the Description or Details in the Alert timeline
**Machines list** - Click the file links in the Description or Details columns in the Observed on machine section
**Search box** - Select File from the dropdown menu and enter the file name
- **Alerts** - Click the file links from the Description or Details in the Alert timeline <br>
- **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section <br>
- **Search box** - Select File from the dropdown menu and enter the file name
2. Open the **Actions** menu and select **Remove file from blocked list**.
@ -173,10 +173,10 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
**Submit files for deep analysis:**
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
Alerts - click the file links from the **Description** or **Details** in the Alert timeline
**Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
Search box - select **File** from the dropdown menu and enter the file name
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views: <br>
- Alerts - click the file links from the **Description** or **Details** in the Alert timeline <br>
- **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section <br>
- Search box - select **File** from the dropdown menu and enter the file name <br>
2. In the **Deep analysis** section of the file view, click **Submit**.
![You can only submit PE files in the file details section](images/submit-file.png)

13
windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -151,8 +151,21 @@ Event ID | Message | Resolution steps
5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).
7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again.
9 | Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). <br><br>If the event happened during offboarding, contact support.
10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). <br><br>If the problem persists, contact support.
15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
17 | Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). If the problem persists, contact support.
25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
27 | Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support.
29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the endpoint has Internet access, then run the entire offboarding process again.
30 | Failed to disable $(build.sense.productDisplayName) mode in Windows Defender Advanced Threat Protection. Failure code: %1 | Contact support.
32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine.
55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine.
63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type.
64 | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing.
68 | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type.
69 | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists.
<br>
There are additional components on the endpoint that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.

52
windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,52 @@
---
title: Troubleshoot SIEM tool integration issues in Windows Defender ATP
description: Troubleshoot issues that might arise when using SIEM tools with Windows Defender ATP.
keywords: troubleshoot, siem, client secret, secret
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Troubleshoot SIEM tool integration issues
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
You might need to troubleshoot issues while pulling alerts in your SIEM tools.
This page provides detailed steps to troubleshoot issues you might encounter.
## Learn how to get a new client secret
If your client secret expires or if you've misplaced the copy provided when you were enabling the SIEM tool application, you'll need to get a new secret.
1. Login to the [Azure management portal](https://ms.portal.azure.com).
2. Select **Active Directory**.
3. Select your tenant.
4. Click **Application**, then select your SIEM tool application. The application name is `https://windowsdefenderatpsiemconnector`.
5. Select **Keys** section, then provide a key description and specify the key validity duration.
6. Click **Save**. The key value is displayed.
7. Copy the value and save it in a safe place.
## Related topics
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)

5
windows/update/waas-configure-wufb.md
View File

@ -234,12 +234,11 @@ When a client running a newer version sees an update available on Windows Update
In the Windows Update for Business policies in version 1511, all the deferral rules were grouped under a single policy where pausing affected both upgrades and updates. In Windows 10, version 1607, this functionality has been broken out into separate polices: deferral of Feature and Quality Updates can be enabled and paused independently of one other.
<table><caption>Group Policy keys</caption><thead><th>Version 1511 GPO keys</th><th>Version 1607 GPO keys</th></thead>
<tbody><tr><td valign="top">**DeferUpgrade**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;
Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).</br></br>**DeferUpgradePeriod**: *0 - 8 months*</br></br>**DeferUpdatePeriod**: *1 4 weeks*</br></br>**Pause**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;Enabling will pause both upgrades and updates for a max of 35 days</td><td>**DeferFeatureUpdates**: *enable/disable*</br></br>**BranchReadinessLevel**</br>&nbsp;&nbsp;&nbsp;Set device on CB or CBB</br></br>**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*</br></br>**PauseFeatureUpdates**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;Enabling will pause Feature updates for a max of 60 days</br></br>**DeferQualityUpdates**: *Enable/disable*</br></br>**DeferQualityUpdatesPeriodinDays**: *0 - 35 days*</br></br>**PauseQualityUpdates**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;Enabling will pause Quality updates for a max of 35 days</br></br>**ExcludeWUDrivers**: *enable/disable*</td></tr>
<tbody><tr><td valign="top">**DeferUpgrade**: *enable/disable*</br>Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).</br></br>**DeferUpgradePeriod**: *0 - 8 months*</br></br>**DeferUpdatePeriod**: *1 4 weeks*</br></br>**Pause**: *enable/disable*</br>Enabling will pause both upgrades and updates for a max of 35 days</br></td><td>**DeferFeatureUpdates**: *enable/disable*</br></br>**BranchReadinessLevel**</br>Set device on CB or CBB</br></br>**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*</br></br>**PauseFeatureUpdates**: *enable/disable*</br>Enabling will pause Feature updates for a max of 60 days</br></br>**DeferQualityUpdates**: *Enable/disable*</br></br>**DeferQualityUpdatesPeriodinDays**: *0 - 35 days*</br></br>**PauseQualityUpdates**: *enable/disable*</br>Enabling will pause Quality updates for a max of 35 days</br></br>**ExcludeWUDrivers**: *enable/disable*</br></td></tr>
</table>
<table><caption>MDM keys</caption><thead><th>Version 1511 MDM keys</th><th>Version 1607 MDM keys</th></thead>
<tbody><tr><td valign="top">**RequireDeferUpgade**: *bool*</br>&nbsp;&nbsp;&nbsp;Puts the device on CBB (no ability to defer updates while on the CB branch).</br></br>**DeferUpgradePeriod**: *0 - 8 months*</br></br>**DeferUpdatePeriod**: *1 4 weeks*</br></br>**PauseDeferrals**: *bool*</br>&nbsp;&nbsp;&nbsp;Enabling will pause both upgrades and updates for a max of 35 days</td><td>**BranchReadinessLevel**</br>&nbsp;&nbsp;&nbsp;Set system on CB or CBB</br></br>**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*</br></br>**PauseFeatureUpdates**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;Enabling will pause Feature updates for a max of 60 days</br></br>**DeferQualityUpdatesPeriodinDays**: *0 - 35 days*</br></br>**PauseQualityUpdates**: *enable/disable*</br>&nbsp;&nbsp;&nbsp; Enabling will pause Quality updates for a max of 35 days</br></br>**ExcludeWUDriversInQualityUpdate**: *enable/disable<*/td></tr>
<tbody><tr><td valign="top">**RequireDeferUpgade**: *bool*</br>Puts the device on CBB (no ability to defer updates while on the CB branch).</br></br>**DeferUpgradePeriod**: *0 - 8 months*</br></br>**DeferUpdatePeriod**: *1 4 weeks*</br></br>**PauseDeferrals**: *bool*</br>Enabling will pause both upgrades and updates for a max of 35 days</br></td><td>**BranchReadinessLevel**</br>Set system on CB or CBB</br></br>**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*</br></br>**PauseFeatureUpdates**: *enable/disable*</br>Enabling will pause Feature updates for a max of 60 days</br></br>**DeferQualityUpdatesPeriodinDays**: *0 - 35 days*</br></br>**PauseQualityUpdates**: *enable/disable*</br>Enabling will pause Quality updates for a max of 35 days</br></br>**ExcludeWUDriversInQualityUpdate**: *enable/disable*</br></td></tr>
</tbody></table>
### Comparing the version 1607 keys to the version 1703 keys

2
windows/update/waas-optimize-windows-10-updates.md
View File

@ -49,7 +49,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
Windows 10 update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
### How Microsoft supports Express
- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager.
- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or 1607 with the April 2017 cumulative update.
- **Express on WSUS Standalone**
Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx).

2
windows/update/waas-quick-start.md
View File

@ -42,7 +42,7 @@ See [Assign devices to servicing branches for Windows 10 updates](waas-servicing
## Staying up to date
The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Upgrade Analytics](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help.
The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help.
Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isnt required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps and CBB has been declared, broad deployment can begin.

4
windows/update/waas-windows-insider-for-business.md
View File

@ -22,7 +22,7 @@ For many IT pros, gaining visibility into feature updates early—before they
The Windows Insider Program for Business gives you the opportunity to:
* Get early access to Windows Insider Preview Builds
* Provide feedback to Microsoft in real-time via the Feedback Hub app.
* Sign-in with coproate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft especially on features that support your productivity and business needs.
* Sign-in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft especially on features that support your productivity and business needs.
Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app.
@ -126,7 +126,7 @@ Go to **Settings > Updates & Security**. Review available updates or select **Ch
### Make sure Windows is activated
Go to **Settings > Updates & Security > Activation** to verify Windows is activated.
### Make sure your coporate account in AAD is connected to your device
### Make sure your corporate account in AAD is connected to your device
Open **Settings \ Accounts \ Access work or school**. If your PC is not listed as connected to your account in AAD, click Connect and enter your AAD account.
### Make sure you have selected a flight ring

23
windows/whats-new/whats-new-windows-10-version-1703.md
View File

@ -36,9 +36,9 @@ Both the desktop and kiosk wizards include an option to remove pre-installed sof
[Learn more about Windows Configuration Designer.](../configure/provisioning-packages.md)
### Bulk enrollment in Azure Active Directory
### Azure Active Directory join in bulk
Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](../configure/provisioning-packages.md#configuration-designer-wizards). Bulk enrollment in Azure AD is available in the desktop, mobile, kiosk, and Surface Hub wizards.
Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](../configure/provisioning-packages.md#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
![get bulk token action in wizard](images/bulk-token.png)
@ -180,7 +180,10 @@ We recently added the option to download Windows 10 Insider Preview builds using
### Optimize update delivery
[Express updates](../update/waas-optimize-windows-10-updates.md#express-update-delivery) are now supported on System Center Configuration Manager, starting with version 1702 of Configuration Manager, in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
With changes delivered in Windows 10, version 1703, [Express updates](../update/waas-optimize-windows-10-updates.md#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
>[!NOTE]
> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
@ -209,7 +212,7 @@ Some of the other new CSPs are:
- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for fixed drives and removable drives.
- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives.
- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections.
@ -217,6 +220,7 @@ Some of the other new CSPs are:
- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
IT pros can use the new [MDM Migration Analysis Tool (MMAT)](http://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
@ -226,7 +230,9 @@ The Windows version of mobile application management (MAM) is a lightweight solu
For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management).
### MDM diagnostics
In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
### Application Virtualization for Windows (App-V)
Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Addtionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
@ -237,6 +243,13 @@ For more info, see the following topics:
- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-updating.md)
- [Automatically cleanup unpublished packages on the App-V client](../manage/appv-auto-clean-unpublished-packages.md)
### Windows diagnostic data
Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level.
- [Windows 10, version 1703 basic level Windows diagnostic events and fields](../configure/basic-level-windows-diagnostic-events-and-fields.md)
- [Windows 10, version 1703 Diagnostic Data](../configure/windows-diagnostic-data.md)
## Windows 10 Mobile enhancements
### Lockdown Designer