deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-27 16:23:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #3254 from MicrosoftDocs/master

Browse Source 
Publish 07/08/2020 3:33 PM
This commit is contained in:
Gary Moore
2020-07-08 16:09:28 -07:00
committed by GitHub
parent 2364d90855 35011b96d1
commit 4557d29e7b
7 changed files with 28 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -81,7 +81,7 @@ To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use
<a href="" id="terms-of-use-endpoint-"></a>**Terms of Use endpoint**
Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting users consent before the actual enrollment phase begins.
Its important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g., users in certain geographies may be subject to stricter device management policies).
Its important to understand that the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g., users in certain geographies may be subject to stricter device management policies).
The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. Its not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.

21
windows/client-management/mdm/policy-csp-system.md
View File

@ -861,14 +861,11 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Allow the device to send diagnostic and usage telemetry data, such as Watson.
Allows the device to send diagnostic and usage telemetry data, such as Watson.
For more information about diagnostic data, including what is and what is not collected by Windows, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
The following tables describe the supported values:
Windows 8.1 Values:
The following list shows the supported values for Windows 8.1:
- 0 - Not allowed.
- 1 Allowed, except for Secondary Data Requests.
- 2 (default) Allowed.
@ -896,13 +893,12 @@ Windows 8.1 Values:
</tbody>
</table>-->
Windows 10 Values:
- 0 Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
- 1 Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.
- 2 Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.
- 3 Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.
In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. The following list shows the supported values for Windows 10:
- 0 (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender.
**Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
- 1 (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data.
- 2 (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data.
- 3 (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices.
<!--<table style="margin-left: 20px">
<colgroup>
@ -2068,4 +2064,3 @@ Footnotes:
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

8
windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
View File

@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 06/25/2020
ms.date: 07/08/2020
ms.reviewer:
manager: dansimp
---
@ -47,13 +47,15 @@ See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defend
After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication.
Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection.
The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication.
| **Service**| **Description** |**URL** |
| :--: | :-- | :-- |
| Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com` <br/> `*.wdcpalt.microsoft.com` <br/> `*.wd.microsoft.com`|
| Microsoft Update Service (MU) <br/> Windows Update Service (WU)| Security intelligence and product updates |`*.update.microsoft.com` <br/> `*.delivery.mp.microsoft.com`<br/> `*.windowsupdate.com` <br/> for details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)|
| Microsoft Update Service (MU) <br/> Windows Update Service (WU)| Security intelligence and product updates |`*.update.microsoft.com` <br/> `*.delivery.mp.microsoft.com`<br/> `*.windowsupdate.com` <br/><br/> For details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)|
|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com` </br> `*.download.windowsupdate.com`</br> `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|
| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net` <br/> `ussus1westprod.blob.core.windows.net` <br/> `usseu1northprod.blob.core.windows.net` <br/> `usseu1westprod.blob.core.windows.net` <br/> `ussuk1southprod.blob.core.windows.net` <br/> `ussuk1westprod.blob.core.windows.net` <br/> `ussas1eastprod.blob.core.windows.net` <br/> `ussas1southeastprod.blob.core.windows.net` <br/> `ussau1eastprod.blob.core.windows.net` <br/> `ussau1southeastprod.blob.core.windows.net` |
| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/` <br/> `https://www.microsoft.com/pkiops/certs` <br/> `https://crl.microsoft.com/pki/crl/products` <br/> `https://www.microsoft.com/pki/certs` |

BIN
windows/security/threat-protection/microsoft-defender-antivirus/images/defender/wdav-history-wdsc.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 38 KiB

After

Width:  |  Height:  |  Size: 88 KiB

14
windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
View File

@ -75,15 +75,11 @@ Now that you have onboarded your organization's devices to Microsoft Defender AT
2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC`.
3. Look for an entry named **SmcInstData**. Right-click the item, and then choose **Delete**.
3. Remove Symantec from your devices. You can use SEP Manager to perform this task. See [Configuring client packages to uninstall existing security software](https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Managing-a-custom-installation/preparing-for-client-installation-v16742985-d21e7/configuring-client-packages-to-uninstall-existing-v73569396-d21e2634.html).
> [!TIP]
> Need help? See the following Broadcom resources:
> - [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html).
> - Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040).
> - macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387).
> - Linux devices: [Frequently Asked Questions for Endpoint Protection for Linux](https://knowledge.broadcom.com/external/article?articleId=162054).
3. Remove Symantec from your devices. If you need help with this, see the following Broadcom resources:
- [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html)
- Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040)
- macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387)
- Linux devices: [Frequently Asked Questions for Endpoint Protection for Linux](https://knowledge.broadcom.com/external/article?articleId=162054)
## Make sure Microsoft Defender ATP is in active mode

2
windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
View File

@ -46,7 +46,7 @@ WDAC policies apply to the managed computer as a whole and affects all users of
### WDAC System Requirements
WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above.
WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
## AppLocker

15
windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
View File

@ -52,11 +52,10 @@ You can hide notifications that describe regular events related to the health an
This can only be done in Group Policy.
>[!IMPORTANT]
>### Requirements
>
>You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
> Requirement: You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. Download the latest [Administrative Templates (.admx) for Windows 10, v1809](https://www.microsoft.com/download/details.aspx?id=57576).
1. Download the latest [Administrative Templates (.admx) for Windows 10, v2004](https://www.microsoft.com/download/101445).
2. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -76,15 +75,17 @@ You can hide all notifications that are sourced from the Windows Security app. T
This can only be done in Group Policy.
>[!IMPORTANT]
>### Requirements
>
>You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
> Requirement: You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below the path would be **Windows components > Windows Defender Security Center > Notifications**
5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below the path would be **Windows components > Windows Defender Security Center > Notifications**.
> [!NOTE]
> For Windows 10 version 2004 and above the path would be **Windows components > Windows Security > Notifications**.
6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
@ -93,7 +94,7 @@ This can only be done in Group Policy.
**[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
**"DisableNotifications"=dword:00000001**
8. Use the following registry key and DWORD value to **Hide not-critical notifications**
8. Use the following registry key and DWORD value to **Hide not-critical notifications**.
**[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
**"DisableEnhancedNotifications"=dword:00000001**