deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #3063 from MicrosoftDocs/jreeds-rebrand-image

Browse Source 
Cut images showing old brand name
This commit is contained in:
Gary Moore
2020-06-12 18:24:41 -07:00
committed by GitHub
parent 983b8775e4 fc555d881c
commit 4482be1722
6 changed files with 72 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
View File

@ -68,7 +68,7 @@ After whitelisting the URLs listed above, you can test if you are connected to t
Use the following argument with the Microsoft Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service: Use the following argument with the Microsoft Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service:
```DOS ```console
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
``` ```
@ -87,9 +87,7 @@ Download the file by visiting the following link:
>[!NOTE] >[!NOTE]
>This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud. >This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.
If you are properly connected, you will see a warning Microsoft Defender Antivirus notification: If you are properly connected, you will see a warning Microsoft Defender Antivirus notification.
![Microsoft Defender Antivirus notification informing the user that malware was found](images/defender/wdav-malware-detected.png)
If you are using Microsoft Edge, you'll also see a notification message: If you are using Microsoft Edge, you'll also see a notification message:
@ -107,14 +105,12 @@ You will also see a detection under **Quarantined threats** in the **Scan histor
![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png) ![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png)
3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware: 3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware.
![Screenshot of quarantined items in the Windows Security app](images/defender/wdav-quarantined-history-wdsc.png) > [!NOTE]
> Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md).
>[!NOTE] The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-microsoft-defender-antivirus.md).
>Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md).
The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-microsoft-defender-antivirus.md).
>[!IMPORTANT] >[!IMPORTANT]
>You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity. >You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity.

93
windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
View File

@ -34,78 +34,97 @@ You can use **Local Group Policy Editor** to enable and configure Microsoft Defe
To enable and configure always-on protection: To enable and configure always-on protection:
1. Open **Local Group Policy Editor**. To do this: 1. Open **Local Group Policy Editor**. To do this:
1. In your Windows 10 taskbar search box, type **gpedit**. 1. In your Windows 10 taskbar search box, type **gpedit**.
2. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.
![GPEdit taskbar search result](images/gpedit-search.png) 1. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.
![GPEdit taskbar search result](images/gpedit-search.png)
2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**. 2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.
![Microsoft Defender Antivirus](images/gpedit-windows-defender-antivirus.png)
3. Configure the Microsoft Defender Antivirus antimalware service policy settings. To do this: 3. Configure the Microsoft Defender Antivirus antimalware service policy settings. To do this:
1. In the **Microsoft Defender Antivirus** details pane on right, double-click the policy setting as specified in the following table: 1. In the **Microsoft Defender Antivirus** details pane on right, double-click the policy setting as specified in the following table:
| Setting | Description | Default setting | | Setting | Description | Default setting |
|-----------------------------|------------------------|-------------------------------| |-----------------------------|------------------------|-------------------------------|
| Allow antimalware service to startup with normal priority | You can lower the priority of the Microsoft Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled | Allow antimalware service to startup with normal priority | You can lower the priority of the Microsoft Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
| Allow antimalware service to remain running always | If protection updates have been disabled, you can set Microsoft Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled | | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Microsoft Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled |
2. Configure the setting as appropriate, and click **OK**. 1. Configure the setting as appropriate, and click **OK**.
3. Repeat the previous steps for each setting in the table.
1. Repeat the previous steps for each setting in the table.
4. Configure the Microsoft Defender Antivirus real-time protection policy settings. To do this: 4. Configure the Microsoft Defender Antivirus real-time protection policy settings. To do this:
1. In the **Microsoft Defender Antivirus** details pane, double-click **Real-time Protection**. Or, from the **Microsoft Defender Antivirus** tree on left pane, click **Real-time Protection**. 1. In the **Microsoft Defender Antivirus** details pane, double-click **Real-time Protection**. Or, from the **Microsoft Defender Antivirus** tree on left pane, click **Real-time Protection**.
![Microsoft Defender Antivirus Real-time Protection options](images/gpedit-real-time-protection.png)
2. In the **Real-time Protection** details pane on right, double-click the policy setting as specified in the following table:
| Setting | Description | Default setting | 1. In the **Real-time Protection** details pane on right, double-click the policy setting as specified in the following table:
|-----------------------------|------------------------|-------------------------------|
| Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity. | Enabled |
| Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the Windows Defender SmartScreen filter, which scans files before and during downloading. | Enabled |
| Monitor file and program activity on your computer | The Microsoft Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run). | Enabled |
| Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring. | Enabled |
| Turn on process scanning whenever real-time protection is enabled | You can independently enable the Microsoft Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled. | Enabled |
| Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes. | Enabled |
| Configure local setting override for turn on behavior monitoring | Configure a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
| Configure local setting override for scanning all downloaded files and attachments | Configure a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
| Configure local setting override for monitoring file and program activity on your computer | Configure a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
| Configure local setting override to turn on real-time protection | Configure a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
| Configure local setting override for monitoring for incoming and outgoing file activity | Configure a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. | Enabled |
| Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions) |
3. Configure the setting as appropriate, and click **OK**. | Setting | Description | Default setting |
4. Repeat the previous steps for each setting in the table. |-----------------------------|------------------------|-------------------------------|
| Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity. | Enabled |
| Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the Windows Defender SmartScreen filter, which scans files before and during downloading. | Enabled |
| Monitor file and program activity on your computer | The Microsoft Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run). | Enabled |
| Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring. | Enabled |
| Turn on process scanning whenever real-time protection is enabled | You can independently enable the Microsoft Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled. | Enabled |
| Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes. | Enabled |
| Configure local setting override for turn on behavior monitoring | Configure a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
| Configure local setting override for scanning all downloaded files and attachments | Configure a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
| Configure local setting override for monitoring file and program activity on your computer | Configure a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
| Configure local setting override to turn on real-time protection | Configure a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
| Configure local setting override for monitoring for incoming and outgoing file activity | Configure a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. | Enabled |
| Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions) |
1. Configure the setting as appropriate, and click **OK**.
1. Repeat the previous steps for each setting in the table.
5. Configure the Microsoft Defender Antivirus scanning policy setting. To do this: 5. Configure the Microsoft Defender Antivirus scanning policy setting. To do this:
1. From the **Microsoft Defender Antivirus** tree on left pane, click **Scan**. 1. From the **Microsoft Defender Antivirus** tree on left pane, click **Scan**.
![Microsoft Defender Antivirus Scan options](images/gpedit-windows-defender-antivirus-scan.png)
2. In the **Scan** details pane on right, double-click the policy setting as specified in the following table: ![Microsoft Defender Antivirus Scan options](images/gpedit-windows-defender-antivirus-scan.png)
| Setting | Description | Default setting | 1. In the **Scan** details pane on right, double-click the policy setting as specified in the following table:
|-----------------------------|------------------------|-------------------------------|
| Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Microsoft Defender Antivirus engine is asked to detect the activity. | Enabled | | Setting | Description | Default setting |
|-----------------------------|------------------------|-------------------------------|
| Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Microsoft Defender Antivirus engine is asked to detect the activity. | Enabled |
1. Configure the setting as appropriate, and click **OK**.
3. Configure the setting as appropriate, and click **OK**.
6. Close **Local Group Policy Editor**. 6. Close **Local Group Policy Editor**.
## Disable real-time protection in Group Policy ## Disable real-time protection in Group Policy
> [!WARNING] > [!WARNING]
> Disabling real-time protection drastically reduces the protection on your endpoints and is not recommended. > Disabling real-time protection drastically reduces the protection on your endpoints and is not recommended.
The main real-time protection capability is enabled by default, but you can disable it by using **Local Group Policy Editor**. The main real-time protection capability is enabled by default, but you can disable it by using **Local Group Policy Editor**.
To disable real-time protection in Group policy: To disable real-time protection in Group policy:
1. Open **Local Group Policy Editor**. 1. Open **Local Group Policy Editor**.
1. In your Windows 10 taskbar search box, type **gpedit**.
2. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**. 1. In your Windows 10 taskbar search box, type **gpedit**.
1. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.
2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Real-time Protection**. 2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Real-time Protection**.
3. In the **Real-time Protection** details pane on right, double-click **Turn off real-time protection**. 3. In the **Real-time Protection** details pane on right, double-click **Turn off real-time protection**.
![Turn off real-time protection](images/gpedit-turn-off-real-time-protection.png)
![Turn off real-time protection](images/gpedit-turn-off-real-time-protection.png)
4. In the **Turn off real-time protection** setting window, set the option to **Enabled**. 4. In the **Turn off real-time protection** setting window, set the option to **Enabled**.
![Turn off real-time protection enabled](images/gpedit-turn-off-real-time-protection-enabled.png)
![Turn off real-time protection enabled](images/gpedit-turn-off-real-time-protection-enabled.png)
5. Click **OK**. 5. Click **OK**.
6. Close **Local Group Policy Editor**. 6. Close **Local Group Policy Editor**.
## Related articles ## Related articles

10
windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
View File

@ -39,18 +39,12 @@ If Microsoft Defender Antivirus is enabled, the usual options will appear to con
![Windows Security app showing Microsoft Defender AV options, including scan options, settings, and update options](images/vtp-wdav.png) ![Windows Security app showing Microsoft Defender AV options, including scan options, settings, and update options](images/vtp-wdav.png)
If another antivirus product is installed and working correctly, Microsoft Defender Antivirus will disable itself. The Windows Security app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options: If another antivirus product is installed and working correctly, Microsoft Defender Antivirus will disable itself. The Windows Security app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options.
![Windows Security app showing ContosoAV as the installed and running antivirus provider. There is a single link to open ContosoAV settings.](images/vtp-3ps.png) Underneath any third party AV products, a new link will appear as **Microsoft Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning. Note that the limited periodic option is a toggle to enable or disable periodic scanning.
Underneath any third party AV products, a new link will appear as **Microsoft Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning.
![The limited periodic option is a toggle to enable or disable **periodic scanning**](images/vtp-3ps-lps.png)
Sliding the switch to **On** will show the standard Microsoft Defender AV options underneath the third party AV product. The limited periodic scanning option will appear at the bottom of the page. Sliding the switch to **On** will show the standard Microsoft Defender AV options underneath the third party AV product. The limited periodic scanning option will appear at the bottom of the page.
![When enabled, periodic scanning shows the normal Microsoft Defender Antivirus options](images/vtp-3ps-lps-on.png)
## Related articles ## Related articles
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)

6
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
View File

@ -61,9 +61,7 @@ In Windows Server 2016, the **Add Roles and Features Wizard** looks like this:
![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png) ![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png)
In Windows Server 2019, the **Add Roles and Feature Wizard** looks like this: In Windows Server 2019, the **Add Roles and Feature Wizard** looks much the same.
![Add roles and features wizard Windows Server 2019](images/WDAV-WinSvr2019-turnfeatureson.jpg)
### Turn on the GUI using PowerShell ### Turn on the GUI using PowerShell
@ -110,7 +108,7 @@ Get-Service -Name mpssvc
As an alternative to PowerShell, you can use Command Prompt to verify that Microsoft Defender Antivirus is running. To do that, run the following command from a command prompt: As an alternative to PowerShell, you can use Command Prompt to verify that Microsoft Defender Antivirus is running. To do that, run the following command from a command prompt:
```DOS ```console
sc query Windefend sc query Windefend
``` ```

8
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
View File

@ -62,9 +62,7 @@ The prompt can occur via a notification, similar to the following:
![Windows notification showing the requirement to run Microsoft Defender Offline](images/defender/notification.png) ![Windows notification showing the requirement to run Microsoft Defender Offline](images/defender/notification.png)
The user will also be notified within the Windows Defender client: The user will also be notified within the Windows Defender client.
![Windows Defender showing the requirement to run Microsoft Defender Offline](images/defender/client.png)
In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**.
@ -108,7 +106,7 @@ Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/library/dn455323(v=vs.85
The following WMI script snippet will immediately run a Microsoft Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows. The following WMI script snippet will immediately run a Microsoft Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
```WMI ```console
wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start
``` ```
@ -122,10 +120,8 @@ See the following for more information:
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label: 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label:
3. Select **Microsoft Defender Offline scan** and click **Scan now**. 3. Select **Microsoft Defender Offline scan** and click **Scan now**.
> [!NOTE] > [!NOTE]
> In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client. > In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client.

8
windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
View File

@ -73,9 +73,9 @@ If you are a home user, or you are not subject to settings managed by a security
3. Set **Tamper Protection** to **On** or **Off**. 3. Set **Tamper Protection** to **On** or **Off**.
Here's what you see in the Windows Security app: Here's what you see in the Windows Security app:
![Tamper protection turned on in Windows 10 Home](images/tamperprotectionturnedon.png) ![Tamper protection turned on in Windows 10 Home](images/tamperprotectionturnedon.png)
## Turn tamper protection on (or off) for your organization using Intune ## Turn tamper protection on (or off) for your organization using Intune
@ -112,10 +112,6 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
5. Assign the profile to one or more groups. 5. Assign the profile to one or more groups.
Here's what you see in the Windows Security app:
![Turning tamper protection on in Windows 10 Enterprise](images/turnontamperprotect-enterprise.png)
### Are you using Windows OS 1709, 1803, or 1809? ### Are you using Windows OS 1709, 1803, or 1809?
If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled. If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled.