deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 13:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into Benny-54-passive-mode

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2021-01-12 13:54:29 -08:00 committed by GitHub
commit 3ff5295f82
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 51 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -1534,6 +1534,11 @@
"source_path": "windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md",

8
windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
View File

@ -15,7 +15,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 03/05/2020
ms.date: 01/12/2021
---
# Windows Hello biometrics in the enterprise
@ -53,7 +53,7 @@ The biometric data used to support Windows Hello is stored on the local device o
## Has Microsoft set any device requirements for Windows Hello?
We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm.
- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regard to the security of the biometric algorithm.
- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection.
@ -81,6 +81,10 @@ To allow facial recognition, you must have devices with integrated special infra
- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
> [!NOTE]
>Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock you device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesnt allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint.
## Related topics
- [Windows Hello for Business](hello-identity-verification.md)
- [How Windows Hello for Business works](hello-how-it-works.md)

8
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -14,7 +14,7 @@ metadata:
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
ms.date: 01/12/2021
ms.reviewer:
title: Windows Hello for Business Frequently Asked Questions (FAQ)
@ -137,7 +137,11 @@ sections:
- question: Can I use both a PIN and biometrics to unlock my device?
answer: |
Starting in Windows 10, version 1709, you can use multi-factor unlock to require users to provide an additional factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md).
- question: Can I wear a mask to enroll or unlock using Windows Hello face authentication?
answer: |
Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock you device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesnt allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint.
- question: What's the difference between Windows Hello and Windows Hello for Business?
answer: |
Windows Hello represents the biometric framework provided in Windows 10. Windows Hello lets users use biometrics to sign in to their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.

11
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
View File

@ -65,14 +65,17 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
7. Restart the AD FS server.
> [!NOTE]
>For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
> For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
>
> 1. Launch AD FS management console. Browse to "Services > Scope Descriptions".
> 2. Right click "Scope Descriptions" and select "Add Scope Description".
> 3. Under name type "ugs" and Click Apply > OK.
> 4. Launch Powershell as Administrator.
> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier is equal to 38aa3b87-a06d-4817-b275-7a316988d93b and make a note of the ObjectIdentifier.
> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'.
> 4. Launch PowerShell as an administrator.
> 5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b":
> ```PowerShell
> (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
> ```
> 6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'`.
> 7. Restart the ADFS service.
> 8. On the client: Restart the client. User should be prompted to provision WHFB.
> 9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot.

6
windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
View File

@ -42,6 +42,12 @@ Turn on this feature so that users with the appropriate permissions can start a
For more information about role assignments, see [Create and manage roles](user-roles.md).
## Live response for servers
Turn on this feature so that users with the appropriate permissions can start a live response session on servers.
For more information about role assignments, see [Create and manage roles](user-roles.md).
## Live response unsigned script execution
Enabling this feature allows you to run unsigned scripts in a live response session.

89
windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
View File

@ -1,89 +0,0 @@
---
title: Get RBAC machine groups collection API
description: Learn how to use the Get KB collection API to retrieve a collection of RBAC device groups in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, RBAC, group
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: leonidzh
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/07/2018
---
# Get KB collection API
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
[!include[Improve request performance](../../includes/improve-request-performance.md)]
Retrieves a collection of RBAC device groups.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machinegroups
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful - 200 OK.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machinegroups
Content-type: application/json
```
**Response**
Here is an example of the response.
Field id contains device group **id** and equal to field **rbacGroupId** in devices info.
Field **ungrouped** is true only for one group for all devices that have not been assigned to any group. This group as usual has name "UnassignedGroup".
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineGroups",
"@odata.count":7,
"value":[
{
"id":86,
"name":"UnassignedGroup",
"description":"",
"ungrouped":true},
}
```

4
windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
View File

@ -1,6 +1,6 @@
---
title: Investigate Microsoft Defender Advanced Threat Protection files
description: Use the investigation options to get details on files associated with alerts, behaviours, or events.
description: Use the investigation options to get details on files associated with alerts, behaviors, or events.
keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -20,7 +20,7 @@ ms.topic: article
ms.date: 04/24/2018
---
# Investigate a file associated with a Microsoft Defender ATP alert
# Investigate a file associated with a Microsoft Defender for Endpoint alert
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]

33
windows/security/threat-protection/microsoft-defender-atp/live-response.md
View File

@ -43,25 +43,30 @@ With live response, analysts can do all of the following tasks:
Before you can initiate a session on a device, make sure you fulfill the following requirements:
- **Verify that you're running a supported version of Windows 10**. <br/>
Devices must be running one of the following versions of Windows 10:
- [1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later
- [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
- [1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
- [1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
- **Verify that you're running a supported version of Windows**. <br/>
Devices must be running one of the following versions of Windows
- **Make sure to install appropriate security updates**.<br/>
- 1903: [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)
- 1809 (RS5): [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
- 1803 (RS4): [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
- 1709 (RS3): [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
- **Windows 10**
- [Version 1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later
- [Version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) with [KB4515384](https://support.microsoft.com/en-us/help/4515384/windows-10-update-kb4515384)
- [Version 1809 (RS 5)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) with [with KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
- [Version 1803 (RS 4)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) with [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
- [Version 1709 (RS 3)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) with [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
- **Windows Server 2019 - Only applicable for Public preview**
- Version 1903 or (with [KB4515384](https://support.microsoft.com/en-us/help/4515384/windows-10-update-kb4515384)) later
- Version 1809 (with [KB4537818](https://support.microsoft.com/en-us/help/4537818/windows-10-update-kb4537818))
- **Enable live response from the settings page**.<br>
- **Enable live response from the advanced settings page**.<br>
You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page.
>[!NOTE]
>Only users with manage security or global admin roles can edit these settings.
- **Enable live response for servers from the advanced settings page** (recommended).<br>
>[!NOTE]
>Only users with manage security or global admin roles can edit these settings.
- **Ensure that the device has an Automation Remediation level assigned to it**.<br>
You'll need to enable, at least, the minimum Remediation Level for a given Device Group. Otherwise you won't be able to establish a Live Response session to a member of that group.
@ -186,7 +191,7 @@ Here are some examples:
|Command |What it does |
|---------|---------|
|`"C:\windows\some_file.exe" &` |Starts downloading a file named *some_file.exe* in the background. |
|`Download "C:\windows\some_file.exe" &` |Starts downloading a file named *some_file.exe* in the background. |
|`fg 1234` |Returns a download with command ID *1234* to the foreground. |