deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-22 18:27:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 4918: 12/12 AM Publish

Browse Source
This commit is contained in:
Alma Jenks 2017-12-12 18:30:55 +00:00
commit 4407fb12b6
8 changed files with 313 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
education/windows/images/suspc_createpackage_configurestudentpcsettings_121117.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 534 KiB

10
education/windows/use-set-up-school-pcs-app.md
View File

@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 10/13/2017
ms.date: 12/11/2017
---
# Use the Set up School PCs app
@ -30,6 +30,7 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm
- Sets Microsoft-recommended school PC settings, including shared PC mode which provides faster sign-in and automatic account cleanup
- Enables optional guest account for younger students, lost passwords, or visitors
- Enables optional secure testing account
- Enables optional Windows Automatic Redeployment feature to return devices to a fully configured or known IT-approved state
- Locks down the student PC to prevent mischievous activity:
* Prevents students from removing the PC from the school's device management system
* Prevents students from removing the Set up School PCs settings
@ -41,7 +42,7 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm
You can watch the video to see how to use the Set up School PCs app, or follow the step-by-step guide. </br>
<center><iframe src="https://www.youtube.com/embed/2ZLup_-PhkA" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/2ZLup_-PhkA" frameborder="0" gesture="media" allow="encrypted-media" allowfullscreen></iframe>
You can watch the descriptive audio version here: [Microsoft Education: Use the Set up School PCs app (DA)](https://www.youtube.com/watch?v=qqe_T2LkGsI)
@ -181,12 +182,13 @@ The **Set up School PCs** app guides you through the configuration choices for t
- Select **Let guests sign-in to these PCs** to allow guests to use student PCs without a school account. For example, if the device will be in a library and you want other users (like visiting students or teachers) to be able to use the device, you can select this option.
If you select this option, this adds a **Guest** account button in the PC's sign-in screen to allow anyone to use the PC.
- Select **Enable Windows Automatic Redeployment** to reset student PCs from the lock screen any time and apply original settings and device management enrollment (Azure AD and MDM) so theyre ready to use. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Windows Automatic Redeployment through the Set up School PCs app.
- To change the default lock screen background or to use your school's custom lock screen background, click **Browse** to select a new lock screen background.
**Figure 4** - Configure student PC settings
![Configure student PC settings](images/suspc_createpackage_configurestudentpcsettings.png)
![Configure student PC settings](images/suspc_createpackage_configurestudentpcsettings_121117.png)
When you're doing configuring the student PC settings, click **Next**.

6
education/windows/windows-automatic-redeployment.md
View File

@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 10/16/2017
ms.date: 12/11/2017
---
# Reset devices with Windows Automatic Redeployment
@ -46,13 +46,11 @@ You can set the policy using one of these methods:
- Set up School PCs app
Windows Automatic Redeployment in the Set up School PCs app is available in the latest release of the app. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Windows Automatic Redeployment through the Set up School PCs app. You can check the version several ways:
- Reach out to your device manufacturer.
- If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If you are using another MDM provider, check the documentation for the MDM provider to confirm the OS version.
- Log into the PCs, go to the **Settings > System > About** page, look in the **Windows specifications** section and confirm **Version** is set to 1709.
To use the Windows Automatic Redeployment setting in the Set up School PCs app:
To use the Windows Automatic Redeployment setting in the Set up School PCs app:
* When using [Set up School PCs](use-set-up-school-pcs-app.md), in the **Configure student PC settings** screen, select **Enable Windows 10 Automatic Redeployment** among the list of settings for the student PC as shown in the following example:
![Configure student PC settings in Set up School PCs](images/suspc_configure_pc2.jpg)

2
windows/threat-protection/TOC.md
View File

@ -258,9 +258,11 @@
#### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
#### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
#### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
#### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)

5
windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
View File

@ -28,7 +28,7 @@ ms.date: 11/20/2017
- Enterprise security administrators
You can enable each of the features of Windows Defender Explot Guard in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
You can enable each of the features of Windows Defender Exploit Guard in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
@ -74,8 +74,7 @@ You can also use the a custom PowerShell script that enables the features in aud
## Related topics
Topic | Description
---|---
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)

69
windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md Normal file
View File

@ -0,0 +1,69 @@
---
title: Submit cab files related to Windows Defender EG problems
description: Use the command-line tool to obtain .cab file that can be used to investigate ASR rule issues.
keywords: troubleshoot, error, fix, asr, windows defender eg, exploit guard, attack surface reduction
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 11/01/2017
---
# Collect diagnostic data for Windows Defender Exploit Guard file submissions
**Applies to:**
- Windows 10, version 1709
**Audience**
- IT administrators
This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using Windows Defender Exploit Guard.
In particular, you will be asked to collect and attach this data when using the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) if you indicate that you have encountered a problem with [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) or [Network protection](network-protection-exploit-guard.md).
Before attempting this process, ensure you have met all required pre-requisites and taken any other suggested troubleshooting steps as described in these topics:
- [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md)
- [Troubleshoot Windows Defender Network protection](troubleshoot-np.md)
1. On the endpoint with the issue, obtain the Windows Defender .cab diagnostic file by following this process:
1. Open an administrator-level version of the command prompt:
1. Open the **Start** menu.
2. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**.
3. Enter administrator credentials or approve the prompt.
2. Navigate to the Windows Defender directory. By default, this is C:\Program Files\Windows Defender, as in the following example:
```Dos
cd c:\program files\windows defender
```
3. Enter the following command and press **Enter**
```Dos
mpcmdrun -getfiles
```
4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt, but by default it will be in C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab.
2. Attach this .cab file to the submission form where indicated.
## Related topics
- [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md)
- [Troubleshoot Windows Defender Network protection](troubleshoot-np.md)
- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)

128
windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md Normal file
View File

@ -0,0 +1,128 @@
---
title: Troubleshoot problems with Attack surface reduction rules
description: Check pre-requisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues
keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 11/01/2017
---
# Troubleshoot Attack surface reduction rules
**Applies to:**
- Windows 10, version 1709
**Audience**
- IT administrators
When you use [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as:
- A rule blocks a file, process, or performs some other action that it should not (false positive)
- A rule does not work as described, or does not block a file or process that it should (false negative)
There are four steps to troubleshooting these problems:
1. Confirm that you have met all pre-requisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
3. Submit support logs
## Confirm pre-requisites
Attack surface reduction (ASR) will only work on devices with the following conditions:
>[!div class="checklist"]
> - Endpoints are running Windows 10, version 1709 (also known as the Fall Creators Update).
> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
## Use audit mode to test the rule
There are two ways that you can test if the rule is working.
You can use a pre-configured demo tool to confirm ASR is generally working on the device, or you can use audit mode, which enables the rule for reporting only.
The demo tool uses pre-configured scenarios and processes, which can be useful to first see if the ASR feature as a whole is operating correctly.
If you encounter problems when running the demo tool, check that the device you are testing the tool on meets the [pre-requisites listed above](#confirm-pre-requisites).
You should follow the instructions in the section [Use the demo tool to see how ASR works](evaluate-attack-surface-reduction.md#use-the-demo-tool-to-see-how-attack-surface-reduction-works) to test the specific rule you are encountering problems with.
>[!TIP]
>While the instructions for using the demo tool are intended for evaluating or seeing how ASR works, you can use it to test that the rule works on known scenarios that we have already extensively tested before we released the feature.
Audit mode allows the rule to report as if it actually blocked the file or process, but will still allow the file to run.
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
3. [Review the ASR event logs](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
>[!TIP]
>Audit mode will stop the rule from blocking the file or process.
>
>If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
>
>Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
If you've tested the rule with the demo tool and with audit mode, and ASR is working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation:
1. If the ASR rule is blocking something that it should not block (also known as a false positive), you can [first add an ASR exclusion](#add-exclusions-for-a-false-positive).
2. If the ASR rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data).
## Add exclusions for a false positive
You can add exclusions to ASR to prevent ASR rules from evaluating the excluded files or folders.
This is useful if you have enabled a rule, and it is blocking a file, process, or action that you believe it should not block. You can then collect data from an endpoint where the rule is not working correctly and send that information to us.
To add an exclusion, see the [Customize Attack surface reduction](customize-attack-surface-reduction.md) topic.
>[!IMPORTANT]
>You can specify individual files and folders to be excluded, but you cannot specify individual rules.
>
>This means any files or folders that are excluded will be excluded from all ASR rules.
If you have followed all previous troubleshooting steps, and you still have a problem (in particular, if you have a false positive), you should proceed to the next step to collect diagnostic information and send it to us.
## Collect diagnostic data
You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with ASR.
When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one).
You must also attach associated files in a .zip file (such as the file or executable that is not being blocked, or being incorrectly blocked) along with a diagnostic .cab file to your submission.
Follow the link below for instructions on how to collect the .cab file:
> [!div class="nextstepaction"]
> [Collect and submit diagnostic data Windows Defender Exploit Guard issues](collect-cab-files-exploit-guard-submission.md)
## Related topics
- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
- [Attack surface reduction](attack-surface-reduction-exploit-guard.md)

104
windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md Normal file
View File

@ -0,0 +1,104 @@
---
title: Troubleshoot problems with Network protection
description: Check pre-requisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues
keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 11/02/2017
---
# Troubleshoot Network protection
**Applies to:**
- Windows 10, version 1709
**Audience**
- IT administrators
When you use [Network protection](network-protection-exploit-guard.md) you may encounter issues, such as:
- Network protection blocks a website that is safe (false positive)
- Network protection fails to block a suspicious or known malicious website (false negative)
There are four steps to troubleshooting these problems:
1. Confirm that you have met all pre-requisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
3. Submit support logs
## Confirm pre-requisites
Windows Defender Exploit Guard will only work on devices with the following conditions:
>[!div class="checklist"]
> - Endpoints are running Windows 10, version 1709 (also known as the Fall Creators Update).
> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
> - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable Network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection).
If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
## Use audit mode to test the rule
There are two ways that you can test if the feature is working - you can use a demo website, and you can use audit mode.
You can enable Network protection and then visit a website that we've created to demo the feature. The website will always be reported as blocked by Network protection. See the [evaluate Network protection](evaluate-network-protection.md) topic for instructions.
If you encounter problems when running the evaluation scenario, check that the device you are testing the tool on meets the [pre-requisites listed above](#confirm-pre-requisites).
>[!TIP]
>While the instructions for using the demo website are intended for evaluating or seeing how Network protection works, you can use it to test that the feature is working properly and narrow down on the cause of the problem.
You can also use audit mode and then attempt to visit the site or IP (IPv4) address you do or don't want to block. Audit mode lets Network protection report to the Windows event log as if it actually blocked the site or connection to an IP address, but will still allow the file to run.
1. Enable audit mode for Network protection. Use Group Policy to set the rule to **Audit mode** as described in the [Enable Network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection).
2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
3. [Review the Network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
>[!IMPORTANT]
>Audit mode will stop Network protection from blocking known malicious connections.
>
>If Network protection is not blocking a connection that you are expecting it should block, first check if audit mode is enabled.
>
>Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
If you've tested the feature with the demo site and with audit mode, and Network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, proceed to the next section to report the site or IP address.
## Report a false positive or false negative
You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with Network protection.
When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one).
You can also attach a diagnostic .cab file to your submission if you wish (this is not required). Follow the link below for instructions on how to collect the .cab file:
> [!div class="nextstepaction"]
> [Collect and submit diagnostic data Windows Defender Exploit Guard issues](collect-cab-files-exploit-guard-submission.md)
## Related topics
- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
- [Network protection](network-protection-exploit-guard.md)