deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into authorchange

Browse Source
This commit is contained in:
Greg Lindsay
2019-10-22 13:59:34 -07:00
parent 2e89f893cb f1ee7a4c6d
commit 4805d4f95e
44 changed files with 706 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
windows/client-management/mdm/defender-csp.md
View File

@ -9,7 +9,8 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 07/19/2018
ms.localizationpriority: medium
ms.date: 10/21/2019
---
# Defender CSP
@ -138,7 +139,7 @@ The following list shows the supported values:
- 2 = Manual steps required
- 3 = Full scan required
- 4 = Reboot required
- 5 = Remediated with non critical failures
- 5 = Remediated with noncritical failures
- 6 = Quarantined
- 7 = Removed
- 8 = Cleaned
@ -243,7 +244,7 @@ The following list shows the supported values:
- 2 = Pending reboot
- 4 = Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan)
- 8 = Pending offline scan
- 16 = Pending critical failure (Windows Defender has failed critically and an Adminsitrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender)
- 16 = Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender)
Supported operation is Get.
@ -352,6 +353,53 @@ The data type is a string.
Supported operation is Get.
<a href="" id="health-tamperprotectionenabled"></a>**Health/TamperProtectionEnabled**
Indicates whether the Windows Defender tamper protection feature is enabled.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-isvirtualmachine"></a>**Health/IsVirtualMachine**
Indicates whether the device is a virtual machine.
The data type is a string.
Supported operation is Get.
<a href="" id="configuration"></a>**Configuration**
An interior node to group Windows Defender configuration information.
Supported operation is Get.
<a href="" id="configuration-tamperprotection"></a>**Configuration/TamperProtection**
Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions.
Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune.
The data type is a Signed blob.
Supported operations are Add, Delete, Get, Replace.
Intune tamper protection setting UX supports three states:
- Not configured (default): Does not have any impact on the default state of the device.
- Enabled: Enables the tamper protection feature.
- Disabled: Turns off the tamper protection feature.
When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
<a href="" id="configuration-enablefilehashcomputation"></a>**Configuration/EnableFileHashComputation**
Enables or disables file hash computation feature.
When this feature is enabled Windows defender will compute hashes for files it scans.
The data type is a integer.
Supported operations are Add, Delete, Get, Replace.
Valid values are:
- 1 Enable.
- 0 (default) Disable.
<a href="" id="scan"></a>**Scan**
Node that can be used to start a Windows Defender scan on a device.
@ -374,5 +422,4 @@ Supported operations are Get and Execute.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
[Configuration service provider reference](configuration-service-provider-reference.md)

111
windows/client-management/mdm/defender-ddf.md
View File

@ -9,7 +9,8 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 07/12/2018
ms.localizationpriority: medium
ms.date: 10/21/2019
---
# Defender DDF file
@ -19,7 +20,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Defende
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is for Windows 10, version 1809.
The XML below is the current version for this CSP.
```xml
<?xml version="1.0" encoding="UTF-8"?>
@ -628,6 +629,112 @@ The XML below is for Windows 10, version 1809.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>TamperProtectionEnabled</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsVirtualMachine</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Configuration</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>TamperProtection</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnableFileHashComputation</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Scan</NodeName>

BIN
windows/client-management/mdm/images/provisioning-csp-defender.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 32 KiB

After

Width:  |  Height:  |  Size: 80 KiB

14
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -165,7 +165,7 @@ ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswo
<li><a href="policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon" data-raw-source="[WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)">WindowsLogon/ConfigAutomaticRestartSignOn</a></li>
<li><a href="policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation" data-raw-source="[WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)">WindowsLogon/EnableFirstLogonAnimation</a></li>
<tr>
<td style="vertical-align:top"><a href="policy-csp-audit.md" data-raw-source="[Policy CSP - Audit](applicationcontrol-csp.md)">Policy CSP - Audit</a></td>
<td style="vertical-align:top"><a href="policy-csp-audit.md" data-raw-source="[Policy CSP - Audit](policy-csp-audit.md)">Policy CSP - Audit</a></td>
<td style="vertical-align:top"><p>Added new Audit policies in Windows 10, version 1903.</p>
</td></tr>
<tr>
@ -175,6 +175,10 @@ ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswo
<td style="vertical-align:top"><p>Added new CSP in Windows 10, version 1903.</p>
</td></tr>
<tr>
<td style="vertical-align:top"><a href="defender-csp.md" data-raw-source="[Defender CSP](defender-csp.md)">Defender CSP</a></td>
<td style="vertical-align:top"><p>Added the following new nodes:<br>Health/TamperProtectionEnabled, Health/IsVirtualMachine, Configuration, Configuration/TamperProtection, Configuration/EnableFileHashComputation.</p>
</td></tr>
<tr>
<td style="vertical-align:top"><a href="diagnosticlog-csp.md" data-raw-source="[DiagnosticLog CSP](diagnosticlog-csp.md)">DiagnosticLog CSP</a><br>
<a href="diagnosticlog-ddf.md" data-raw-source="[DiagnosticLog DDF](diagnosticlog-ddf.md)">DiagnosticLog DDF</a></td>
<td style="vertical-align:top"><p>Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:<br>
@ -1929,17 +1933,19 @@ What data is handled by dmwappushsvc? | It is a component handling the internal
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. |
## Change history in MDM documentation
### October 2019
|New or updated topic | Description|
|--- | ---|
|[BitLocker CSP](bitlocker-csp.md)|Added the following new nodes:<br>ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswordsStatus, RotateRecoveryPasswordsRequestID|
|[BitLocker CSP](bitlocker-csp.md)|Added the following new nodes:<br>ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswordsStatus, RotateRecoveryPasswordsRequestID.|
|[Defender CSP](defender-csp.md)|Added the following new nodes:<br>Health/TamperProtectionEnabled, Health/IsVirtualMachine, Configuration, Configuration/TamperProtection, Configuration/EnableFileHashComputation.|
### September 2019
|New or updated topic | Description|
|--- | ---|
|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added the following new node:<br>IsStub|
|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added the following new node:<br>IsStub.|
|[Policy CSP - Defender](policy-csp-defender.md)|Updated the supported value list for Defender/ScheduleScanDay policy.|
|[Policy CSP - DeviceInstallation](policy-csp-deviceinstallation.md)|Added the following new policies: <br>DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs, DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs.|
@ -1958,7 +1964,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
|[ApplicationControl CSP](applicationcontrol-csp.md)|Added new CSP in Windows 10, version 1903.|
|[PassportForWork CSP](passportforwork-csp.md)|Added the following new nodes in Windows 10, version 1903:<br>SecurityKey, SecurityKey/UseSecurityKeyForSignin|
|[Policy CSP - Privacy](policy-csp-privacy.md)|Added the following new policies:<br>LetAppsActivateWithVoice, LetAppsActivateWithVoiceAboveLock|
|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs is not currently supported:<br>Create a custom configuration service provider<br>Design a custom configuration service provider<br>IConfigServiceProvider2<br>IConfigServiceProvider2::ConfigManagerNotification<br>IConfigServiceProvider2::GetNode<br>ICSPNode<br>ICSPNode::Add<br>ICSPNode::Clear<br>ICSPNode::Copy<br>ICSPNode::DeleteChild<br>ICSPNode::DeleteProperty<br>ICSPNode::Execute<br>ICSPNode::GetChildNodeNames<br>ICSPNode::GetProperty<br>ICSPNode::GetPropertyIdentifiers<br>ICSPNode::GetValue<br>ICSPNode::Move<br>ICSPNode::SetProperty<br>ICSPNode::SetValue<br>ICSPNodeTransactioning<br>ICSPValidate<br>Samples for writing a custom configuration service provider|
|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs is not currently supported:<br>Create a custom configuration service provider<br>Design a custom configuration service provider<br>IConfigServiceProvider2<br>IConfigServiceProvider2::ConfigManagerNotification<br>IConfigServiceProvider2::GetNode<br>ICSPNode<br>ICSPNode::Add<br>ICSPNode::Clear<br>ICSPNode::Copy<br>ICSPNode::DeleteChild<br>ICSPNode::DeleteProperty<br>ICSPNode::Execute<br>ICSPNode::GetChildNodeNames<br>ICSPNode::GetProperty<br>ICSPNode::GetPropertyIdentifiers<br>ICSPNode::GetValue<br>ICSPNode::Move<br>ICSPNode::SetProperty<br>ICSPNode::SetValue<br>ICSPNodeTransactioning<br>ICSPValidate<br>Samples for writing a custom configuration service provider.|
### June 2019

3
windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 04/24/2018
---
# Enable Secure Score security controls
@ -27,7 +26,7 @@ ms.date: 04/24/2018
Set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations.
Set the baselines for calculating the score of security controls on the Secure Score dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations.
>[!NOTE]
>Changes might take up to a few hours to reflect on the dashboard.

59
windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
View File

@ -1,7 +1,7 @@
---
title: See how exploit protection works in a demo
description: See how exploit protection can prevent suspicious behaviors from occurring on specific apps.
keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation
keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigation
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -10,9 +10,9 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/02/2019
author: denisebmsft
ms.author: deniseb
ms.date: 10/21/2019
ms.reviewer:
manager: dansimp
---
@ -23,21 +23,16 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices.
It consists of a number of mitigations that can be applied to either the operating system or an individual app.
Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection.
[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](emet-exploit-protection.md) are included in exploit protection.
This topic helps you enable exploit protection in audit mode and review related events in Event Viewer.
You can enable audit mode for certain app-level mitigations to see how they will work in a test environment.
This lets you see a record of what *would* have happened if you had enabled the mitigation in production.
You can make sure it doesn't affect your line-of-business apps, and see which suspicious or malicious events occur.
This article helps you enable exploit protection in audit mode and review related events in Event Viewer. You can enable audit mode to see how mitigation works for certain apps in a test environment. By auditing exploit protection, you can see what *would* have happened if you had enabled exploit protection in your production environment. This way, you can help ensure exploit protection doesn't adversely affect your line-of-business apps, and you can see which suspicious or malicious events occur.
> [!TIP]
> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
## Enable exploit protection in audit mode
You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell.
You can set mitigation in audit mode for specific programs either by using the Windows Security app or Windows PowerShell.
### Windows Security app
@ -45,12 +40,12 @@ You can set mitigations in audit mode for specific programs either by using the
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
3. Go to **Program settings** and choose the app you want to apply mitigations to:
3. Go to **Program settings** and choose the app you want to apply protection to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
* Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
* Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
@ -76,14 +71,14 @@ Where:
* \<Mitigation>:
* The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
Mitigation | Audit mode cmdlet
-|-
Arbitrary code guard (ACG) | AuditDynamicCode
Block low integrity images | AuditImageLoad
Block untrusted fonts | AuditFont, FontAuditOnly
Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned
Disable Win32k system calls | AuditSystemCall
Do not allow child processes | AuditChildProcess
|Mitigation | Audit mode cmdlet |
|---|---|
|Arbitrary code guard (ACG) | AuditDynamicCode |
|Block low integrity images | AuditImageLoad
|Block untrusted fonts | AuditFont, FontAuditOnly |
|Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned |
|Disable Win32k system calls | AuditSystemCall |
|Do not allow child processes | AuditChildProcess |
For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command:
@ -97,14 +92,14 @@ You can disable audit mode by replacing `-Enable` with `-Disable`.
To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.
Feature | Provider/source | Event ID | Description
-|-|-|-
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit
Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit
|Feature | Provider/source | Event ID | Description |
|---|---|--|---|
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit |
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit |
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit |
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit |
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit |
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit |
## Related topics

59
windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Defender ATP evaluation lab
description: Learn about Microsoft Defender ATP capabilities, run attack simulations, and see how it prevents, detects, and remediates threats.
keywords:
keywords: evaluate mdatp, evaluation, lab, simulation, windows 10, windows server 2019, evaluation lab
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -26,12 +26,18 @@ Conducting a comprehensive security product evaluation can be a complex process
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
When you get started with the lab, you'll be guided through a simple set-up process where your tenant will be provisioned with test machines. These test machines will come pre-configured to have the latest and greatest Windows 10 version with the right security components in place and Office 2019 Standard installed.
When you get started with the lab, you'll be guided through a simple set-up process where you can specify the type of configuration that best suits your needs.
After the lab setup process is complete, you can add Windows 10 or Windows Server 2019 machines. These test machines come pre-configured to have the latest and greatest OS versions with the right security components in place and Office 2019 Standard installed.
With the simplified set-up experience, you can focus on running your own test scenarios and the pre-made simulations to see how Microsoft Defender ATP performs.
You'll have full access to all the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Microsoft Defender ATP offers.
## Before you begin
You'll need to fulfill the [licensing requirements](minimum-requirements.md#licensing-requirements) or have trial access to Microsoft Defender ATP to access the evaluation lab.
Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink)
## Get started with the lab
You can access the lab from the menu. In the navigation menu, select **Evaluation and tutorials > Evaluation lab**.
@ -43,15 +49,28 @@ When you access the evaluation lab for the first time, you'll find an introducti
It's a good idea to read the guide before starting the evaluation process so that you can conduct a thorough assessment of the platform.
>[!NOTE]
>- Each environment is provisioned with only three test machines.
>- Each machine will be available for only three days from the day of activation.
>- When you've used up these three machines, no new machines are provided.
Deleting a machine does not refresh the available test machine count.
>- Each environment is provisioned with a limited set of test machines.
>- Depending the type of environment structure you select, machines will be available for the specified number of hours from the day of activation.
>- When you've used up the provisioned machines, no new machines are provided. A deleted machine does not refresh the available test machine count.
>- Given the limited resources, its advisable to use the machines carefully.
## Evaluation setup
When you add a machine to your environment, Microsoft Defender ATP sets up a well-configured machine with connection details. The machine will be configured with the most up to date version of Windows 10 and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals.
## Setup the evaluation lab
1. In the navigation pane, select **Evaluation and tutorials > Evaluation lab**, then select **Setup lab**.
![Image of the evaluation lab welcome page](images/evaluation-lab-setup.png)
2. Depending on your evaluation needs, you can choose to setup an environment with fewer machines for a longer period or more machines for a shorter period. Select your preferred lab configuration then select **Create lab**.
![Image of lab configuration options](images/lab-creation-page.png)
When the environment completes the setup process, you're ready to add machines.
## Add machines
When you add a machine to your environment, Microsoft Defender ATP sets up a well-configured machine with connection details. You can add Windows 10 or Windows Server 2019 machines.
The machine will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals.
The machine will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side.
@ -74,33 +93,27 @@ Automated investigation settings will be dependent on tenant settings. It will b
>[!NOTE]
>The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
1. From the dashboard, select **Add machine**.
1. In the navigation pane, select **Evaluation and tutorials > Evaluation lab**.
![Image of lab setup page](images/lab-setup-page.png)
2. Select **Prepare lab**.
![Image of welcome page](images/welcome-evaluation-lab.png)
2. Choose the type of machine to add. You can choose to add Windows 10 or Windows Server 2019.
3. Select **Add machine**.
![Image of lab setup with machine options](images/add-machine-options.png)
>[!WARNING]
>- Each environment is provisioned with only three test machines.
>- Each machine will be available for only three days from the day of activation.
>- When you've used up these three machines, no new machines are provided.
Deleting a machine does not refresh the available test machine count.
>- Given the limited resources, its advisable to use the machines carefully.
![Image of add machine](images/evaluation-add-machine.png)
>[!NOTE]
>If something goes wrong with the machine creation process, you'll be notified and you'll need to submit a new request. If the machine creation fails, it will not be counted against the overall allowed quota.
4. The connection details are displayed. Select **Copy** to save the password for the machine.
3. The connection details are displayed. Select **Copy** to save the password for the machine.
>[!NOTE]
>The password is only displayed once. Be sure to save it for later use.
5. Machine set up begins. This can take up to approximately 30 minutes.
![Image of machine added with connection details](images/add-machine-eval-lab.png)
4. Machine set up begins. This can take up to approximately 30 minutes.
The environment will reflect your test machine status through the evaluation - including risk score, exposure score, and alerts created through the simulation.
@ -165,5 +178,5 @@ Your feedback helps us get better in protecting your environment from advanced a
Let us know what you think, by selecting **Provide feedback**.
![Image of provide feedback](images/eval-feedback.png)
![Image of provide feedback](images/send-us-feedback-eval-lab.png)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/add-machine-eval-lab.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/add-machine-evaluation-lab.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/add-machine-options.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 55 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 138 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/lab-setup-page.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 114 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/machine-added-evaluation-lab.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 88 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

2
windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 010/08/2018
ms.date: 10/08/2018
---
# Manage Microsoft Defender ATP incidents

97
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
View File

@ -188,7 +188,102 @@ You may now enroll more devices. You can also enroll them later, after you have
</plist>
```
9. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
9. To whitelist Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>AlertType</key>
<integer>2</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.autoupdate2</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
<dict>
<key>AlertType</key>
<integer>2</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.wdavtray</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string/>
<key>PayloadDisplayName</key>
<string>notifications</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadType</key>
<string>com.apple.notificationsettings</string>
<key>PayloadUUID</key>
<string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string/>
<key>PayloadDisplayName</key>
<string>mdatp - allow notifications</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
```
10. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:

10
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
View File

@ -118,6 +118,16 @@ Save the **Configuration Profile**.
Use the **Logs** tab to monitor deployment status for each enrolled device.
### Notification settings
Starting in macOS 10.15 (Catalina) a user must manually allow to display notifications in UI. To auto-enable notifications from Defender and Auto Update, you can import the .mobileconfig below into a separate configuration profile and assign it to all machines with Defender:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"><dict><key>PayloadContent</key><array><dict><key>NotificationSettings</key><array><dict><key>AlertType</key><integer>2</integer><key>BadgesEnabled</key><true/><key>BundleIdentifier</key><string>com.microsoft.autoupdate2</string><key>CriticalAlertEnabled</key><false/><key>GroupingType</key><integer>0</integer><key>NotificationsEnabled</key><true/><key>ShowInLockScreen</key><false/><key>ShowInNotificationCenter</key><true/><key>SoundsEnabled</key><true/></dict><dict><key>AlertType</key><integer>2</integer><key>BadgesEnabled</key><true/><key>BundleIdentifier</key><string>com.microsoft.wdavtray</string><key>CriticalAlertEnabled</key><false/><key>GroupingType</key><integer>0</integer><key>NotificationsEnabled</key><true/><key>ShowInLockScreen</key><false/><key>ShowInNotificationCenter</key><true/><key>SoundsEnabled</key><true/></dict></array><key>PayloadDescription</key><string/><key>PayloadDisplayName</key><string>notifications</string><key>PayloadEnabled</key><true/><key>PayloadIdentifier</key><string>BB977315-E4CB-4915-90C7-8334C75A7C64</string><key>PayloadOrganization</key><string>Microsoft</string><key>PayloadType</key><string>com.apple.notificationsettings</string><key>PayloadUUID</key><string>BB977315-E4CB-4915-90C7-8334C75A7C64</string><key>PayloadVersion</key><integer>1</integer></dict></array><key>PayloadDescription</key><string/><key>PayloadDisplayName</key><string>mdatp - allow notifications</string><key>PayloadEnabled</key><true/><key>PayloadIdentifier</key><string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string><key>PayloadOrganization</key><string>Microsoft</string><key>PayloadRemovalDisallowed</key><false/><key>PayloadScope</key><string>System</string><key>PayloadType</key><string>Configuration</string><key>PayloadUUID</key><string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string><key>PayloadVersion</key><integer>1</integer></dict></plist>
```
### Package
1. Create a package in **Settings > Computer Management > Packages**.

2
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
View File

@ -72,7 +72,7 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Please note
### From the command line
- ```sudo rm -rf '/Applications/Microsoft Defender ATP'```
- ```sudo rm -rf '/Applications/Microsoft Defender ATP.app'```
## Configuring from the command line