mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-11 04:47:23 +00:00
Merge branch 'public' into v-smandalika-taskfor4318240
This commit is contained in:
Siddarth Mandalika
commit
491512c333
@ -38,11 +38,10 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
|
||||
> [!NOTE]
|
||||
> You must download the FOD .cab file that matches your operating system version.
|
||||
|
||||
1. Use `Add-Package` to add Windows Mixed Reality FOD to the image.
|
||||
1. Use `Dism` to add Windows Mixed Reality FOD to the image.
|
||||
|
||||
```powershell
|
||||
Add-Package
|
||||
Dism /Online /add-package /packagepath:(path)
|
||||
Dism /Online /Add-Package /PackagePath:(path)
|
||||
```
|
||||
|
||||
> [!NOTE]
|
||||
|
||||
@ -220,6 +220,9 @@ If Windows cannot load the system registry hive into memory, you must restore th
|
||||
|
||||
If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
|
||||
|
||||
> [!NOTE]
|
||||
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start).
|
||||
|
||||
## Kernel Phase
|
||||
|
||||
If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following:
|
||||
@ -392,3 +395,6 @@ If the dump file shows an error that is related to a driver (for example, window
|
||||
3. Navigate to C:\Windows\System32\Config\.
|
||||
4. Rename the all five hives by appending ".old" to the name.
|
||||
5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
|
||||
|
||||
> [!NOTE]
|
||||
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start).
|
||||
|
||||
@ -52,9 +52,12 @@ Drivers are automatically enabled because they are beneficial to device systems.
|
||||
#### I want to receive pre-release versions of the next feature update
|
||||
|
||||
1. Ensure that you are enrolled in the Windows Insider Program for Business. This is a completely free program available to commercial customers to aid them in their validation of feature updates before they are released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
|
||||
2. For any of test devices you want to install pre-release builds, use [Update/ManagePreviewBuilds](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set this to **Enable preview builds**.
|
||||
3. Use [Update/BranchReadinessLevel](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using pre-release builds for validation.
|
||||
4. Additionally, you can defer pre-release feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you are testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
|
||||
|
||||
1. For any of test devices you want to install pre-release builds, use [Update/ManagePreviewBuilds](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set this to **Enable preview builds**.
|
||||
|
||||
1. Use [Update/BranchReadinessLevel](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using pre-release builds for validation.
|
||||
|
||||
1. Additionally, you can defer pre-release feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you are testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
|
||||
|
||||
#### I want to manage which released feature update my devices receive
|
||||
|
||||
@ -102,7 +105,7 @@ Now all devices are paused from updating for 35 days. When the pause is removed,
|
||||
|
||||
#### I want to stay on a specific version
|
||||
|
||||
If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version (for example, update fall release to fall release) use the **Select the target Feature Update version** setting instead of using the Update/TargetReleaseVersion (or DeployFeatureUpdates in Windows 10, version 1803 and later) setting for feature update deferrals. When you use this policy, specify the version that you want your device(s) to use. If you don't update this before the device reaches end of service, the device will automatically be updated once it is 60 days past end of service for its edition.
|
||||
If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version (for example, update fall release to fall release) use the [Update/TargetReleaseVersion](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) (or Deploy Feature Updates Preview in Intune) instead of using feature update deferrals. When you use this policy, specify the version that you want your device(s) to move to or stay on (for example, "1909"). You can find version information at the [Windows 10 Release Information Page](https://docs.microsoft.com/windows/release-information/).
|
||||
|
||||
### Manage how users experience updates
|
||||
|
||||
@ -138,7 +141,7 @@ We recommend that you use set specific deadlines for feature and quality updates
|
||||
- [Update/ConfigureDeadlineGracePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod)
|
||||
- [Update/ConfigureDeadlineNoAutoReboot](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
|
||||
|
||||
These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardles of active hours.
|
||||
These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
|
||||
|
||||
These notifications are what the user sees depending on the settings you choose:
|
||||
|
||||
@ -172,8 +175,8 @@ There are additional settings that affect the notifications.
|
||||
|
||||
We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that are not met by the default notification settings, you can use the [Update/UpdateNotificationLevel](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
|
||||
|
||||
**0** (default) – Use the default Windows Update notifications
|
||||
**1** – Turn off all notifications, excluding restart warnings
|
||||
**0** (default) – Use the default Windows Update notifications<br/>
|
||||
**1** – Turn off all notifications, excluding restart warnings<br/>
|
||||
**2** – Turn off all notifications, including restart warnings
|
||||
|
||||
> [!NOTE]
|
||||
|
||||
@ -64,11 +64,9 @@ This section explains the syntax and usage of the **ScanState** command-line opt
|
||||
|
||||
The **ScanState** command's syntax is:
|
||||
|
||||
scanstate \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\]
|
||||
> scanstate \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\]
|
||||
|
||||
For example:
|
||||
|
||||
To create a Config.xml file in the current directory, use:
|
||||
For example, to create a Config.xml file in the current directory, use:
|
||||
|
||||
`scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13`
|
||||
|
||||
@ -313,8 +311,8 @@ USMT provides the following options to specify what files you want to migrate.
|
||||
|
||||
USMT provides several options that you can use to analyze problems that occur during migration.
|
||||
|
||||
**Note**
|
||||
The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option.
|
||||
> [!NOTE]
|
||||
> The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option.
|
||||
|
||||
|
||||
|
||||
@ -617,13 +615,12 @@ You can use the following options to migrate encrypted files. In all cases, by d
|
||||
|
||||
For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).
|
||||
|
||||
**Note**
|
||||
EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files
|
||||
> [!NOTE]
|
||||
> EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files
|
||||
|
||||
|
||||
|
||||
**Caution**
|
||||
Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration.
|
||||
> [!CAUTION]
|
||||
> Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration.
|
||||
|
||||
|
||||
|
||||
@ -720,7 +717,7 @@ The following table indicates which command-line options are not compatible with
|
||||
<td align="left"><p>/<strong>nocompress</strong></p></td>
|
||||
<td align="left"><p></p></td>
|
||||
<td align="left"><p></p></td>
|
||||
<td align="left"><p>X</p></td>
|
||||
<td align="left"><p></p></td>
|
||||
<td align="left"><p>N/A</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
@ -853,9 +850,8 @@ The following table indicates which command-line options are not compatible with
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
**Note**
|
||||
You must specify either the /**key** or /**keyfile** option with the /**encrypt** option.
|
||||
> [!NOTE]
|
||||
> You must specify either the /**key** or /**keyfile** option with the /**encrypt** option.
|
||||
|
||||
|
||||
|
||||
@ -864,11 +860,3 @@ You must specify either the /**key** or /**keyfile** option with the /**encrypt*
|
||||
|
||||
[XML Elements Library](usmt-xml-elements-library.md)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -21,7 +21,8 @@ ms.custom:
|
||||
# Manage Windows Defender Credential Guard
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 10 <=1903 Enterprise and Education SKUs
|
||||
- Windows 10 >=1909
|
||||
- Windows Server 2016
|
||||
- Windows Server 2019
|
||||
|
||||
|
||||
@ -24,7 +24,7 @@ manager: dansimp
|
||||
- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge)
|
||||
|
||||
> [!NOTE]
|
||||
> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might not be be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices.
|
||||
> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices.
|
||||
|
||||
Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior.
|
||||
|
||||
|
||||
@ -48,7 +48,7 @@ The table in this section lists the main Microsoft Defender Antivirus event IDs
|
||||
## To view a Microsoft Defender Antivirus event
|
||||
|
||||
1. Open **Event Viewer**.
|
||||
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Microsoft Defender Antivirus**.
|
||||
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
|
||||
3. Double-click on **Operational**.
|
||||
4. In the details pane, view the list of individual events to find your event.
|
||||
5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
|
||||
|
||||
@ -30,70 +30,49 @@ device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-co
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> During public preview, instructions to deploy Microsoft Defender ATP for Android on Intune enrolled Android devices are different across Device Administrator and Android Enterprise entrollment modes. <br>
|
||||
> **When Microsoft Defender ATP for Android reaches General Availability (GA), the app will be available on Google Play.**
|
||||
> **Microsoft Defender ATP for Android is now available on Google Play.**
|
||||
> You can connect to Google Play from Intune to deploy Microsoft Defender ATP app across Device Administrator and Android Enterprise entrollment modes.
|
||||
Updates to the app are automatic via Google Play.
|
||||
|
||||
## Deploy on Device Administrator enrolled devices
|
||||
|
||||
**Deploy Microsoft Defender ATP for Android on Intune Company Portal - Device
|
||||
Administrator enrolled devices**
|
||||
|
||||
This topic describes how to deploy Microsoft Defender ATP for Android on Intune Company Portal - Device Administrator enrolled devices. Upgrade from the Preview APK to the GA version on Google Play would be supported.
|
||||
This topic describes how to deploy Microsoft Defender ATP for Android on Intune Company Portal - Device Administrator enrolled devices.
|
||||
|
||||
### Download the onboarding package
|
||||
|
||||
Download the onboarding package from Microsoft Defender Security Center.
|
||||
|
||||
1. In [Microsoft Defender Security
|
||||
Center](https://securitycenter.microsoft.com), go to **Settings** \> **Machine Management** \> **Onboarding**.
|
||||
|
||||
2. In the first drop-down, select **Android** as the Operating system.
|
||||
|
||||
3. Select **Download Onboarding package** and save the downloaded .APK file.
|
||||
|
||||
|
||||
|
||||
### Add as Line of Business (LOB) App
|
||||
|
||||
The downloaded Microsoft Defender ATP for Android onboarding package. It is a
|
||||
.APK file can be deployed to user groups as a Line of Business app during the
|
||||
preview from Microsoft Endpoint Manager Admin Center.
|
||||
### Add as Android store app
|
||||
|
||||
1. In [Microsoft Endpoint Manager admin
|
||||
center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
|
||||
**Android Apps** \> **Add \> Line-of-business app** and click **Select**.
|
||||
**Android Apps** \> **Add \> Android store app** and click **Select**.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
2. On the **Add app** page and in the *App Information* section, click **Select
|
||||
add package file** and then click the  icon and select the MDATP Universal APK file that was downloaded from the *Download Onboarding package* step.
|
||||
2. On the **Add app** page and in the *App Information* section enter:
|
||||
|
||||
|
||||
- **Name**
|
||||
- **Description**
|
||||
- **Publisher** as Microsoft.
|
||||
- **Appstore URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Microsoft Defender ATP Preview app Google Play Store URL)
|
||||
|
||||
Other fields are optional. Select **Next**.
|
||||
|
||||
3. Select **OK**.
|
||||
|
||||
|
||||
4. In the *App Information* section that comes up, enter the **Publisher** as
|
||||
Microsoft. Other fields are optional and then select **Next**.
|
||||
|
||||
|
||||
|
||||
5. In the *Assignments* section, go to the **Required** section and select **Add
|
||||
group.** You can then choose the user group(s) that you would like to target
|
||||
Microsoft Defender ATP for Android app. Click **Select** and then **Next**.
|
||||
3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Microsoft Defender ATP for Android app. Click **Select** and then **Next**.
|
||||
|
||||
>[!NOTE]
|
||||
>The selected user group should consist of Intune enrolled users.
|
||||
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
|
||||
|
||||
6. In the **Review+Create** section, verify that all the information entered is
|
||||
correct and then select **Create**.
|
||||
6. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
|
||||
|
||||
In a few moments, the Microsoft Defender ATP app would be created successfully,
|
||||
and a notification would show up at the top-right corner of the page.
|
||||
In a few moments, the Microsoft Defender ATP app would be created successfully, and a notification would show up at the top-right corner of the page.
|
||||
|
||||
|
||||
|
||||
@ -102,15 +81,10 @@ and a notification would show up at the top-right corner of the page.
|
||||
select **Device install status** to verify that the device installation has
|
||||
completed successfully.
|
||||
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
|
||||
|
||||
During Public Preview, to **update** Microsoft Defender ATP for Android deployed
|
||||
as a Line of Business app, download the latest APK. Following the steps in
|
||||
*Download the onboarding package* section and follow instructions on how to [update
|
||||
a Line of Business
|
||||
App](https://docs.microsoft.com/mem/intune/apps/lob-apps-android#step-5-update-a-line-of-business-app).
|
||||
|
||||
### Complete onboarding and check status
|
||||
|
||||
1. Once Microsoft Defender ATP for Android has been installed on the device, you'll see the app icon.
|
||||
@ -133,27 +107,21 @@ For more information on the enrollment options supported by Intune, see
|
||||
[Enrollment
|
||||
Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) .
|
||||
|
||||
As Microsoft Defender ATP for Android is deployed via managed Google Play,
|
||||
updates to the app are automatic via Google Play.
|
||||
|
||||
Currently only Personal devices with Work Profile enrolled are supported for deployment.
|
||||
|
||||
|
||||
>[!NOTE]
|
||||
>During Public Preview, to access Microsoft Defender ATP in your managed Google Play, contact [atpm@microsoft.com](mailto:atpm@microsoft.com) with the organization ID of your managed Google Play for next steps. This can be found under the **Admin Settings** of [managed Google Play](https://play.google.com/work/).<br>
|
||||
> At General Availability (GA), Microsoft Defender ATP for Android will be available as a public app. Upgrades from preview to GA version will be supported.
|
||||
|
||||
## Add Microsoft Defender ATP for Android as a managed Google Play app
|
||||
## Add Microsoft Defender ATP for Android as a Managed Google Play app
|
||||
|
||||
After receiving a confirmation e-mail from Microsoft that your managed Google
|
||||
Play organization ID has been approved, follow the steps below to add Microsoft
|
||||
Follow the steps below to add Microsoft
|
||||
Defender ATP app into your managed Google Play.
|
||||
|
||||
1. In [Microsoft Endpoint Manager admin
|
||||
center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
|
||||
**Android Apps** \> **Add** and select **managed Google Play app**.
|
||||
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
|
||||
|
||||
2. On your managed Google Play page that loads subsequently, go to the search
|
||||
@ -167,7 +135,8 @@ ATP app from the Apps search result.
|
||||
details on Microsoft Defender ATP. Review the information on the page and then
|
||||
select **Approve**.
|
||||
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
|
||||
|
||||
4. You should now be presented with the permissions that Microsoft Defender ATP
|
||||
@ -184,13 +153,15 @@ Android might ask. Review the choices and select your preferred option. Select
|
||||
By default, managed Google Play selects *Keep approved when app requests new
|
||||
permissions*
|
||||
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
|
||||
|
||||
6. After the permissions handling selection is made, select **Sync** to sync
|
||||
Microsoft Defender ATP to your apps list.
|
||||
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
|
||||
|
||||
7. The sync will complete in a few minutes.
|
||||
@ -200,54 +171,61 @@ Microsoft Defender ATP to your apps list.
|
||||
8. Select the **Refresh** button in the Android apps screen and Microsoft
|
||||
Defender ATP should be visible in the apps list.
|
||||
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
|
||||
|
||||
9. Microsoft Defender ATP supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s).
|
||||
|
||||
a. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**.
|
||||
1. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**.
|
||||
|
||||
|
||||
|
||||
|
||||
b. In the **Create app configuration policy** page, enter the following details:
|
||||
1. In the **Create app configuration policy** page, enter the following details:
|
||||
|
||||
- Name: Microsoft Defender ATP.
|
||||
- Choose **Android Enterprise** as platform.
|
||||
- Choose **Work Profile only** as Profile Type.
|
||||
- Click **Select App**, choose **Microsoft Defender ATP**, select **OK** and then **Next**.
|
||||
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
|
||||
c. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions
|
||||
- External storage (read)
|
||||
- External storage (write)
|
||||
1. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions:
|
||||
|
||||
Then select **OK**.
|
||||
- External storage (read)
|
||||
- External storage (write)
|
||||
|
||||
|
||||
Then select **OK**.
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
|
||||
|
||||
d. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**.
|
||||
1. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**.
|
||||
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
|
||||
|
||||
e. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender ATP Android app.
|
||||
1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender ATP Android app.
|
||||
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
|
||||
|
||||
f. In the **Review + Create** page that comes up next, review all the information and then select **Create**. <br>
|
||||
1. In the **Review + Create** page that comes up next, review all the information and then select **Create**. <br>
|
||||
|
||||
The app configuration policy for Microsoft Defender ATP auto-granting the storage permission is now assigned to the selected user group.
|
||||
|
||||
|
||||
The app configuration policy for Microsoft Defender ATP auto-granting the storage permission is now assigned to the selected user group.
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
|
||||
|
||||
10. Select **Microsoft Defender ATP** app in the list \> **Properties** \>
|
||||
**Assignments** \> **Edit**.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
11. Assign the app as a *Required* app to a user group. It is automatically installed in the *work profile* during the next sync of
|
||||
@ -255,7 +233,8 @@ the device via Company Portal app. This assignment can be done by navigating to
|
||||
the *Required* section \> **Add group,** selecting the user group and click
|
||||
**Select**.
|
||||
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
|
||||
|
||||
12. In the **Edit Application** page, review all the information that was entered
|
||||
@ -268,7 +247,8 @@ assignment.
|
||||
clicking on the **Device Install Status**. Verify that the device is
|
||||
displayed here.
|
||||
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
|
||||
|
||||
2. On the device, you can confirm the same by going to the **work profile** and
|
||||
@ -279,7 +259,7 @@ confirm that Microsoft Defender ATP is available.
|
||||
3. When the app is installed, open the app and accept the permissions
|
||||
and then your onboarding should be successful.
|
||||
|
||||
|
||||
|
||||
|
||||
4. At this stage the device is successfully onboarded onto Microsoft Defender
|
||||
ATP for Android. You can verify this on the [Microsoft Defender Security
|
||||
|
||||
@ -289,7 +289,7 @@ This rule helps prevent credential stealing, by locking down Local Security Auth
|
||||
LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
|
||||
|
||||
> [!NOTE]
|
||||
> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
|
||||
> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
|
||||
|
||||
This rule was introduced in:
|
||||
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
|
||||
|
||||
@ -111,7 +111,7 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec
|
||||
|[](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)<br/> [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS.
|
||||
|
||||
|
||||
If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed below from HTTPS scanning.
|
||||
If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning.
|
||||
|
||||
> [!NOTE]
|
||||
> settings-win.data.microsoft.com is only needed if you have Windows 10 devices running version 1803 or earlier.<br>
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 61 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 76 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 35 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 86 KiB |
@ -27,8 +27,6 @@ ms.topic: conceptual
|
||||
>
|
||||
> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
|
||||
>
|
||||
> If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Android onboarding page immediately. If you have not yet opted into previews, we encourage you to [turn on preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview) in the Microsoft Defender Security Center today.
|
||||
|
||||
This topic describes how to install, configure, update, and use Microsoft Defender ATP for Android.
|
||||
|
||||
> [!CAUTION]
|
||||
@ -86,8 +84,8 @@ For more information, see [Deploy Microsoft Defender ATP for Android with Micros
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> During public preview, instructions to deploy Microsoft Defender ATP for Android on Intune enrolled Android devices are different across Device Administrator and Android Enterprise entrollment modes. <br>
|
||||
> **When Microsoft Defender ATP for Android reaches General Availability (GA), the app will be available on Google Play.**
|
||||
> **Microsoft Defender ATP for Android is available on Google Play now.**
|
||||
> You can connect to Google Play from Intune to deploy Microsoft Defender ATP app, across Device Administrator and Android Enterprise entrollment modes.
|
||||
|
||||
## How to Configure Microsoft Defender ATP for Android
|
||||
|
||||
|
||||
@ -54,8 +54,8 @@ For more information about onboarding methods, see the following articles:
|
||||
## Azure virtual machines
|
||||
- Configure and enable [Azure Log Analytics workspace](https://docs.microsoft.com/azure/azure-monitor/platform/gateway)
|
||||
|
||||
- Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
|
||||
- [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
|
||||
- Setup Azure Log Analytics Gateway (formerly known as OMS Gateway) to act as proxy or hub:
|
||||
- [Azure Log Analytics Gateway](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
|
||||
- [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp) point to Microsoft Defender ATP Workspace key & ID
|
||||
- Offline Azure VMs in the same network of OMS Gateway
|
||||
- Configure Azure Log Analytics IP as a proxy
|
||||
|
||||
@ -81,16 +81,13 @@ None. Changes to this policy become effective without a device restart when they
|
||||
|
||||
### Safe mode considerations
|
||||
|
||||
When you start a device in safe mode, the disabled administrator account is enabled only if the computer is non-domain joined and there are no other active local administrator accounts. If the computer is joined to a domain, the disabled administrator account is not enabled.
|
||||
If the administrator account is disabled, you can still access the computer by using safe mode with the current administrative credentials. For example, if a failure occurs using a secure channel with a domain-joined computer, and there is no other local administrator account, you must restart the device in safe mode to fix the failure.
|
||||
When you start a device in safe mode, the disabled administrator account is enabled only if the computer is non-domain joined and there are no other active local administrator accounts. In this case, you can access the computer by using safe mode with the current administrative credentials. If the computer is joined to a domain, the disabled administrator account is not enabled.
|
||||
|
||||
### How to access a disabled Administrator account
|
||||
|
||||
You can use the following methods to access a disabled Administrator account:
|
||||
- When there is only one local administrator account that is disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the administrator account on that computer.
|
||||
- When there are local administrator accounts in addition to the built-in account, start the computer in safe mode (locally or over a network), and sign in by using the credentials for the administrator account on that device. An alternate method is to sign in to Windows by using another local
|
||||
Administrator account that was created.
|
||||
- When multiple domain-joined servers have a disabled local Administrator account that can be accessed in safe mode, you can remotely run psexec by using the following command: **net user administrator /active: no**.
|
||||
- For non-domain joined computers: when all the local administrator accounts are disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the default local administrator account on that computer.
|
||||
- For domain-joined computers: remotely run the command **net user administrator /active: yes** by using psexec to enable the default local administrator account.
|
||||
|
||||
## Security considerations
|
||||
|
||||
|
||||
@ -61,7 +61,12 @@ This setting has these possible values:
|
||||
This change makes this setting consistent with the functionality of the new **Privacy** setting.
|
||||
To display no user information, enable the Group Policy setting **Interactive logon: Don't display last signed-in**.
|
||||
|
||||
- Blank.
|
||||
- **Domain and user names only**
|
||||
|
||||
For a domain logon only, the domain\username is displayed.
|
||||
The **Privacy** setting is automatically on and grayed out.
|
||||
|
||||
- **Blank**
|
||||
|
||||
Default setting.
|
||||
This translates to “Not defined,” but it will display the user’s full name in the same manner as the option **User display name only**.
|
||||
@ -89,7 +94,7 @@ For all versions of Windows 10, only the user display name is shown by default.
|
||||
If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings.
|
||||
Users will not be able to show details.
|
||||
|
||||
If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** to show additional details such as domain\username.
|
||||
If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** or **Domain and user names only** to show additional details such as domain\username.
|
||||
In this case, clients that run Windows 10 version 1607 need [KB 4013429](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) applied.
|
||||
Users will not be able to hide additional details.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user