11331133Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).
+There were issues reported with the previous release of the following policies. These issues were fixed in Window 10, version 1709:
+11331133Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. +> [!Note] +> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. +
The following list shows the supported values: - 0 (default)– Not allowed. diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 6c0dd2a75b..c33b8625ee 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -448,10 +448,10 @@ ms.date: 08/09/2017
232233Added in Windows 10, version 1703. Allows IT Admins to configure Start by collapsing or removing the all apps list. +
Allows IT Admins to configure Start by collapsing or removing the all apps list. + +> [!Note] +> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
The following list shows the supported values: diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 40f279e10f..a05a03bbe9 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library ms.pagetype: mdt +ms.date: 08/23/2017 author: greg-lindsay --- diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index fddacf3a05..e11c92867c 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -7,6 +7,7 @@ ms.localizationpriority: high ms.prod: w10 ms.sitesec: library ms.pagetype: deploy +ms.date: 08/23/2017 author: greg-lindsay --- diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index dd5cbaf8b7..cddacc1917 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -181,12 +181,12 @@ During the life of a device, it may be necessary or desirable to switch between
+ New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true + New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true + New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true + New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true + Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA + Set-ADUser -Identity user1 -PasswordNeverExpires $true + Set-ADUser -Identity administrator -PasswordNeverExpires $true + Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true + Set-ADUser -Identity CM_JD -PasswordNeverExpires $true + Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true ++ 12. Minimize the DC1 VM window but **do not stop** the VM. Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain. @@ -984,27 +1006,6 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to Restart-Computer -### Configure service and user accounts - -Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. - ->To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -On DC1, open an elevated Windows PowerShell prompt and type the following commands: - -
-New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true -New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true -New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true -New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true -Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA -Set-ADUser -Identity user1 -PasswordNeverExpires $true -Set-ADUser -Identity administrator -PasswordNeverExpires $true -Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true -Set-ADUser -Identity CM_JD -PasswordNeverExpires $true -Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true -- This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides. ## Appendix A: Verify the configuration diff --git a/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md index 79abd8d757..eb1d2a3b47 100644 --- a/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md @@ -82,7 +82,7 @@ Reporting | Configure time out for detections in non-critical failed state | Not Reporting | Configure time out for detections in recently remediated state | Not used Reporting | Configure time out for detections requiring additional action | Not used Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) -Root | Turn off Windows Defender Antivirus | Not used +Root | Turn off Windows Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly) Root | Define addresses to bypass proxy server | Not used Root | Define proxy auto-config (.pac) for connecting to the network | Not used Root | Define proxy server for connecting to the network | Not used diff --git a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..52006dcc94 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md @@ -0,0 +1,193 @@ +--- +title: Windows Defender Advanced Threat Protection exposed APIs +description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. +keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +--- + +# Windows Defender ATP exposed APIs + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). + +In general, you’ll need to take the following steps to use the APIs: +- Create an app +- Get an access token +- Run queries on the graph API + +### Before you begin +Before using the APIs, you’ll need to create an app that you’ll use to authenticate against the graph. You’ll need to create a native app to use for the adhoc queries. + +## Create an app + +1. Log on to [Azure](https://portal.azure.com). + +2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. + +  + +3. In the Create window, enter the following information then click **Create**. + +  + + - **Name:** WinATPGraph + - **Application type:** Native + - **Redirect URI:** `https://localhost` + + +4. Navigate and select the newly created application. +  + +5. Click **All settings** > **Required permissions** > **Add**. + +  + +6. Click **Select an API** > **Microsoft Graph**, then click **Select**. + +  + + +7. Click **Select permissions** and select **Sign in and read user profile** then click **Select**. + +  + +You can now use the code snippets in the following sections to query the API using the created app ID. + +## Get an access token +1. Get the Client ID from the application you created. + +2. Use the **Client ID**. For example: + ``` + private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; + private const string resourceId = "https://graph.microsoft.com"; + private const string clientId = "{YOUR CLIENT ID/APP ID HERE}"; + private const string redirect = "https://localhost"; + HttpClient client = new HttpClient(); + AuthenticationContext auth = new AuthenticationContext(authority); + var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result; + client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken); + ``` + +## Query the graph +Once the bearer token is retrieved, you can easily invoke the graph APIs. For example: + +``` +client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); +// sample endpoint +string ep = @"https://graph.microsoft.com/{VERSION}/alerts?$top=5"; +HttpResponseMessage response = client.GetAsync(ep).Result; +string resp = response.Content.ReadAsStringAsync().Result; +Console.WriteLine($"response for: {ep} \r\n {resp}"); +``` +## Supported APIs + +| Entity | Action | Description | Functions | Route | +|---------|---------------|--------------------------------------------------------------------------|--------------------------------------------|-------------------------------------------| +| Actor | Get | Retrieves an actor report from the CMS. | $top, $select, $count | /actor/{id} | +| | GetAlerts | Retrieves all alerts related to a given actor. | $expand, $top, $select, $count | /actor/{id}/alerts | +| Alerts | Get | Retrieves top recent alerts | $top, $select, $count, $skip, $expand | /alerts | +| | Get | Retrieves an alert by its ID | $top, $select, $count, $expand | /alerts/{id} | +| | GetMachines | Retrieves all machines related to a specific alert | $top, $select, $count | /alerts/{id}/machines | +| | GetFiles | Retrieves all files related to a specific alert | $top, $select, $count | /alerts/{id}/files | +| | GetActor | Retrieves the actor related to the specific alert | $top, $select, $count | /alerts/{id}/actor | +| | GetDomains | Retrieves all domains related to a specific alert | $top, $select, $count | /alerts/{id}/domains | +| | GetIPs | Retrieves all IPs related to a specific alert | $top, $select, $count | /alerts/{id}/ips | +| Machine | Get | Retrieves a collection of recently seen machines | $top, $select, $count, $skip | /machines | +| | Get | Retrieves a machine entity by ID | $top, $select, $count | /machines/{id} | +| | GetAlerts | Retrieves a collection of alerts related to a given machine ID | $top, $select, $count, $expand | /machines/{id}/alerts | +| | GetLogOnUsers | Retrieves a collection of logged on users related to a given machine ID | $top, $select, $count | /machines/{id}/logonusers | +| | Find | Find a machine entity around a specific timestamp by FQDN or internal IP | $top, $select, $count, $expand(logonusers) | /machines/find(key={id},timestamp={time}) | +| User | Get | Retrieve a User entity by key (user name or domain\user) | $top, $select, $count | /users/{id} | +| | GetAlerts | Retrieves a collection of alerts related to a given user ID | $top, $select, $count, $expand | /users/{id}/alerts | +| | GetMachines | Retrieves a collection of machines related to a given user ID | $top, $select, $count | /users/{id}/machines | +| Domain | Get | Retrieves a domain entity | $top, $select, $count | /domains/{id} | +| | GetAlerts | Retrieves a collection of alerts related to a given domain address | $top, $select, $count, $expand | /domains/{id}/alerts | +| | GetMachines | Retrieves a collection of machines related to a given domain address | $top, $select, $count | /domains/{id}/machines | +| | Stats | Retrieves the prevalence for the given domain | | /domains/{id}/stats | +| IP | Get | Retrieves an IP entity | $top, $select, $count | /ips/{id} | +| | GetAlerts | Retrieves a collection of alerts related to a given IP address | $top, $select, $count, $expand | /ips/{id}/alerts | +| | GetMachines | Retrieves a collection of machines related to a given IP address | $top, $select, $count | /ips/{id}/machines | +| | Stats | Retrieves the prevalence for the given IP | | /ips/{id}/stats | +| File | Get | Retrieves a file by identifier(Sha1, Sha256, MD5) | $top, $select, $count | /files/{id} | +| | GetAlerts | Retrieves a collection of alerts related to a given file hash | $top, $select, $count, $expand | /files/{id}/alerts | +| | GetMachines | Retrieves a collection of machines related to a given file hash | $top, $select, $count | /files{id}/machines | +| | Stats | Retrieves the prevalence for the given file | | /files/{id}/machines | + +### Example queries +After creating the application, you can run the following queries. + +Fetching the top 20 alerts with machine information: +``` +private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; +private const string resourceId = "https://graph.microsoft.com"; +private const string clientId = "{YOUR CLIENT ID/APP ID HERE}"; +private const string redirect = "https://localhost"; +HttpClient client = new HttpClient(); +AuthenticationContext auth = new AuthenticationContext(authority); +var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result; +client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken); +var ep = $"{resourceId}/{apiVersion}/alerts?$top=20&$expand=machine"; // the query itself in yellow +HttpResponseMessage response = client.GetAsync(ep).Result; +string resp = response.Content.ReadAsStringAsync().Result; +Console.WriteLine($"response for: {ep} \r\n {resp}"); +``` + +Response: +``` +{ + "@odata.context": "https://graph.microsoft-ppe.com/testwdatp/$metadata#Alerts", + "@odata.count": 20, + "@odata.nextLink": "https://graph.microsoft-ppe.com/testwdatp/alerts?$top=20&$expand=machine&$skip=20", + "value": [ + { + "id": "636341278149188342_1960231459", + "severity": "Medium", + "status": "New", + "description": "A process has injected code into another process using process hollowing technique, indicating suspicious code being run in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.", + "recommendedAction": "1. Investigate the machine's timeline for any other indicators around the time of this alert \n2. Validate contextual information about the relevant components such as file prevalence, other machines it was observed on etc. \n3. Contact the machine's user to verify whether they received an email with a suspicious attachment or link around the time of the alert.\n4. Run a full malware scan on the machine, this may reveal additional related components. \n5. Consider submitting the relevant file(s) for deep analysis for detailed behavioral information. \n6. If initial investigation confirms suspicions, contact your incident response team for forensic analysis.", + "alertCreationTime": "2017-06-27T02:36:53.7841015Z", + "category": "Installation", + "title": "Process hollowing detected", + "threatFamilyName": null, + "detectionSource": null, + "classification": null, + "determination": null, + "assignedTo": null, + "resolvedTime": null, + "lastEventTime": "2017-06-29T10:11:54.2872094Z", + "firstEventTime": "2017-06-27T02:30:23.9320988Z", + "machine": { + "id": "67e5ef2c2eab150cc8638e21dba19c1b0a41ad0b", + "computerDnsName": null, + "firstSeen": "0001-01-01T00:00:00Z", + "isOnline": false, + "osPlatform": null, + "osVersion": null, + "systemProductName": null, + "lastIpAddress": null, + "lastExternalIpAddress": null, + "agentVersion": null, + "osBuild": null, + "healthStatus": "Active", + "isAadJoined": null + } + }, +}…. + +``` +Related topics +- Create and build Power BI reports \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-atp/images/atp-add-application-name.png b/windows/threat-protection/windows-defender-atp/images/atp-add-application-name.png new file mode 100644 index 0000000000..e46547a2ff Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-add-application-name.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-add-application.png b/windows/threat-protection/windows-defender-atp/images/atp-add-application.png new file mode 100644 index 0000000000..38767341f9 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-add-application.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-application-information.png b/windows/threat-protection/windows-defender-atp/images/atp-application-information.png new file mode 100644 index 0000000000..0fa908d66c Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-application-information.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png new file mode 100644 index 0000000000..31a49811ec Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png new file mode 100644 index 0000000000..2fe20462f2 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-create.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-create.png new file mode 100644 index 0000000000..a222f09880 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-create.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png new file mode 100644 index 0000000000..effefd5424 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png new file mode 100644 index 0000000000..ce3d0672a6 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png new file mode 100644 index 0000000000..5aa454b9c8 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-permissions-applications.png b/windows/threat-protection/windows-defender-atp/images/atp-permissions-applications.png new file mode 100644 index 0000000000..c8a1a31e06 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-permissions-applications.png differ